The log could not match to the patterndb

[bachkhoabk47]

Dear authors!
My name is Tan and I come from Vietnam.
You know, I just try to use sshd patterndb from link sshd.xml
Of course, I had to modify a little bit the source file to be suitable my log.
For example, one of my source log line like bellow.

Nov 5 08:48:26 ebSupportSendingGW8 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/qshape incoming

And then, I did some ways in patterndb and the last way, also is the bad way is like:

root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/qshape deferred

Sorry if I wrote some especial characters and it could not display. Like patterndb

After that I used dbtool for checking the match log to patterndb and I saw this:

HOST=ebSupportSendingGW8
MESSAGE= root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/qshape incoming
PROGRAM=sudo
LEGACY_MSGHDR=sudo:
.classifier.class=unknown
TAGS=.classifier.unknown

It means the log line could not match to the patterndb

But with another log line, I can see it to match:

HOST=ebSupportSendingGW8
MESSAGE=Failed password for invalid user root from x.x.x.x port 1847 ssh2
PROGRAM=sshd
PID=19291
LEGACY_MSGHDR=sshd[19291]:
.classifier.class=violation
.classifier.rule_id=failed-1
ssh.auth.method=password
ssh.auth.user=invalid user root
ssh.src.ip=x.x.x.x
ssh.src.port=1847
ssh.proto=ssh2
TAGS=.classifier.violation

For me see, The difference between the two log line is the LEGACY_MSGHDR name (sshd[19291] and sudo).

So, can you give me any suggestion? I mean the way to write pattern of this log:

Nov 5 08:48:26 ebSupportSendingGW8 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/qshape incoming

Thanks and best regard!

[bachkhoabk47]

i read the log and patterndb again and then I resolved this issue.
The way that you should define a new ruleset in your patterndb like this click here.
with LEGACY_MSGHDR is like "sudo" in "<pattern<sudo</pattern" and "<ruleset id='97c1454e-9a1f-4b2b-b272-49b1708848645' name='sudo<'"
Thanks!