SafeAF / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Parsing is not successful on the web interface #224

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.Added new patterns  to the file patternsdb.xml ( )
2.I tested this pattern using pdbtool and it was successful
3.I added the corresponding mysql classes and fields, which appeared 
successfully on the web graphical interface

What is the expected output? What do you see instead?
I expected that the related log will be marked as the new added class, but it 
is still undefined (class=none).
Also note that i removed everything in the patterndb.xml file except the newly 
added class, but still i can see classes on the web interface.
What version of the product are you using? On what operating system?
centos6.5
elsa is downloaded recently from code.google.com

Please provide any additional information below.

Additional info:

[root@ELSA ~]# /usr/local/syslog-ng/bin/pdbtool match -p 
/usr/local/elsa/node/conf/patterndb.xml -P adminlogin -M "931 Base 
SECURITY-MINOR-ssh_user_logout-2010 [user1]: User user1 from 1.1.1.1 logged out"
MESSAGE=931 Base SECURITY-MINOR-ssh_user_logout-2010 [user1]: User user1 from 
1.1.1.1 logged out
PROGRAM=adminlogin
.classifier.class=adminlogin
.classifier.rule_id=10002
s0=user1
s1=user1
i0=1.1.1.1
TAGS=.classifier.adminlogin

mysql> use syslog
mysql> INSERT INTO classes (id, class) VALUES (10002, "adminlogin");

mysql> INSERT INTO fields (field, field_type, pattern_type) VALUES 
("myuser1","string", "QSTRING");
mysql> INSERT INTO fields (field, field_type, pattern_type) VALUES 
("myuser2","string", "QSTRING");
mysql> INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="adminlogin"), (SELECT id FROM fields 
WHERE field="srcip"), 5);
mysql> INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="adminlogin"), (SELECT id FROM fields 
WHERE field="myuser1"), 11);
mysql> INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES 
((SELECT id FROM classes WHERE class="adminlogin"), (SELECT id FROM fields 
WHERE field="myuser2"), 12);

Original issue reported on code.google.com by mahdi.da...@gmail.com on 11 Sep 2014 at 11:08

GoogleCodeExporter commented 9 years ago
You can try this:
Add pattern to "/usr/local/elsa/node/conf/merged.xml"
Use Importing function:
create 3.txt text file: test_prog source_ip 1.1.1.1 sent 50 bytes to 
destination_ip 2.2.2.2 from user joe
cat 3.txt >  /data/elsa/tmp/import 
==> it' work.
Sorry for my bad english. :)

Original comment by tangngoc...@gmail.com on 3 Oct 2014 at 9:22