Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The Linux App for SUSE is running on messages, mail and audit standard logs.
    When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:
    1. suse - all logs that the application will analyze must have suse as a log type.
    2. linux - all logs that the application will analyze must have linux as a log type.
    3. messages - only the messages logs must also be configured to have messages as a log type.
    4. maillog- only the mail logs must also be configured to have mail as a log type.
    5. audit - only the mail log must also be configured to have audit as a log type.
    6. zypper - only the zypper log must also be configured to have zypper as a log type.


  2. Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Linux App. Use the following patterns for each of the logs:
    1. SUSE messages log:
      First Pattern:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}: [{text:time-taken,ftype=time-taken;,}] {text:Message,ftype=message}
      Second Pattern:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=|user )[XPLG_PARAM([^\s\.\u005D]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*} {text:Message,ftype=message;,}

    2. SUSE maillog:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{number:process id}]{block,end,emptiness=true}: {regexp:session,refName=Message;ftype=session,^(\w+):}{regexp:From,refName=Message;ftype=from,\s+from=\u003C?([^\u003E,]+)}{regexp:To,refName=Message;ftype=to,\s+to=\u003C?([^\u003E,]+)}{regexp:Size,refName=Message;ftype=size,size=([^\s,]+).*}{regexp:Class,refName=Message;ftype=class,class=([^\s,]+).*}{regexp:nrcpts,refName=Message;ftype=nrcpts,nrcpts=([^\s,]+).*}{regexp:msgID,refName=Message;ftype=msgid,msgid=<([^>]+).*}{regexp:Proto,refName=Message;ftype=protocol,proto=([^\s,]+).*}{regexp:Stat,refName=Message;ftype=status,stat=([^\s,]+).*}{regexp:Relay,refName=Message;ftype=relay,relay=([^\s,]+).*}{string:Message,ftype=message;,}

    3. SUSE audit log:
      type={text:Type,ftype=eventid}{map:Event Description,ftype=event descriptioneventdescription;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit.prop}{map:Category,ftype=category;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit-categories.prop} msg=audit({timestamp:Date,yyyy-MM-dd HH:mm:ss.SSS}:{text:Message ID}): {properties:values,keysSep==;propSep=space;,pid#_#ftype=pid#_#name=PID;uid#_#name=UID;auid#_#ftype=auid;old-auid#_#ftype=oldauid#_#name=Old auid;ses#_#ftype=sessionid#_#name=Sessionid;sub;tty;old-ses;res}{block,start,emptiness=true} msg=''{properties:msg,keysSep==;propSep=space;,op#_#ftype=op#_#name=OP;exe#_#ftype=exe;hostname#_#ftype=machine#_#name=Hostname;addr#_#ftype=sourceip;terminal#_#ftype=terminal#_#name=Terminal;res#_#ftype=status#_#name=Status;acct#_#ftype=accountid;fp#_#ftype=fp;kind#_#ftype=kind;direction#_#ftype=direction;spid#_#ftype=spid;suid#_#ftype=suid;rport#_#ftype=rport#_#name=Rport;port#_#ftyperport#_#name=Port;comm#_#ftype=comm;unit#_#ftype=unit;id#_#ftype=uid#_#name=ID}''{regexp:New Name,ftype=newname;refName=OP,new name:\s+([^\s]+).*}{regexp:New GID,ftype=newgid;refName=OP,new gid:\s+(\d+)}{regexp:Operation,ftype=operation;refName=OP,([^\u003B]+).*}{block,end,emptiness=true}

    4. SUSE zypper log:
      {date:Date,yyyy-MM-dd HH:mm:ss} <{number:number1}> {text:ip,ftype=sourceip}({number:pid}) [{text:process}] {string:Message,ftype=message}