;; syslog 
;; plugin_id: 4007
;; type: detector 
;;

[DEFAULT]
plugin_id=4007

[config]
type=detector
enable=yes

source=log
# Enable syslog to log everything to one file. Add it to log rotation also.
# echo "*.*     /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd
location=/var/log/all.log

# create log file if it does not exists, 
# otherwise stop processing this plugin
create_file=true

process=
start=no   
stop=no
startup=
shutdown=


## rules

[syslog - datamining]
# Sep  6 12:07:26 ossim-devel su[9886]: FAILED su for root by juanma
event_type=event
regexp="^(?P<logline>(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<sensor>[^\s]+)\s+(?P<generator>[^\[]*)(\[(?P<pid>\d+)\])?:(\s+)?([^:]+|\s+)?(?P<logged_event>.*))$"
sensor={resolv($sensor)}
date={normalize_date($1)}
plugin_sid=1
sensor={resolv($sensor)}
userdata1={md5sum($logline)}
userdata2={$logline}
userdata3={$generator}
userdata4={$logged_event}
userdata5={$pid}