ABOUT
pdbtool test and pattern database reloaded
Monday, July 19, 2010 @ 07:07 PM Author: Márton Illés
I did not have much time recently to work on or blog about patterndb or any other syslog-ng related stuff. Luckily on the syslog-ng mailing list there were some activity and questions regarding db_parser/patterndb and some others stepped up and tried to help. What is even better that Bazsi did spent some time on actually working on putting together a schema for patterndb and even added some messages with proper classification as well. So we have schema and some patterns for user accounting logs, especially for ssh messages. There is a git tree where you can track the progress or send patches:
Check it out and also please send us your message examples so we extend the database. We are also happy about receiving patches as well 
For the above patterndb I have also extended pdbtool with an automatic testing capability. The patterndb XML format has space for storing test message examples with the expected results together with the rules. It is very handy as it makes pattern development easier and also helps you troubleshooting patterns in a latter time. The XML format is very simple:
session closed for user @ANYSTRING:usracct.username:@ session closed for user bazsi bazsi logout $PID $PROGRAM usracct
Here is only one example message checking for one expected parsed name/value pair. My patch adds pdbtool test functionality which tests all the examples against the given patterndb to see if all the example message matches the appropriate rule and it also checked the expected name/value pairs and reports any missing or different value, like this:
$ pdbtool test -p sshd.pdb -v ; echo $?
Testing message program='sshd' message='Failed password for bazsi from 127.0.1.1 port 44637 ssh2'Match name='.classifier.rule_id', value='aecda233-3d80-48cd-a72b-4896f58069c8', expected='aecda233-3d80-48cd-a72b-4896f58069c8'Match name='usracct.username', value='bazsi', expected='bazsi'Match name='usracct.authmethod', value='password', expected='password'Match name='usracct.device', value='127.0.1.1', expected='127.0.1.1'Match name='usracct.service', value='ssh2', expected='ssh2'Testing message program='sshd' message='Accepted password for bazsi from 127.0.0.1 port 48650 ssh2'Match name='.classifier.rule_id', value='4dd5a329-da83-4876-a431-ddcb59c2858c', expected='4dd5a329-da83-4876-a431-ddcb59c2858c'Match name='usracct.username', value='bazsi', expected='bazsi'Match name='usracct.authmethod', value='password', expected='password'Match name='usracct.device', value='127.0.0.1', expected='127.0.0.1'Match name='usracct.service', value='ssh2', expected='ssh2'0
Of course the pdbtool test could be useful for your own rulesets if test messages are available in the patterndb xml.
Happy parsing!
