[syslog-ng] patterndb

Wed Nov 27 11:19:26 CET 2013

On Tue, 2013-11-26 at 13:56 +0100, Fabien Wernli wrote:
> Hi,
> 
> I'm currently organizing my patterndb files into something easily
> maintainable, and I ran into the following problem, best explained using an
> example: sshd and pam_unix.
> 
> Some of sshd specific patterns reside in a specific ruleset, e.g.
> 
> <ruleset name='sshd' id='A'>
>   <patterns>
>     <pattern>sshd</pattern
>   </patterns>
>   <rules>
>     <rule>
> ...
>     </rule>
>   </rules>
> </ruleset>
> 
> Some of sshd's messages come from pam_unix, e.g. modules/pam_unix/support.c,
> and are shared among other daemons:
> 
> <ruleset name='pam_unix' id='B'>
>   <patterns>
>     <pattern>crond</pattern>
>     <pattern>imap</pattern>
>     <pattern>login</pattern>
>     <pattern>pam</pattern>
>     <pattern>pure-ftpd</pattern>
>     <pattern>proftpd</pattern>
>     <pattern>sshd</pattern>
>     <pattern>su</pattern>
>     <pattern>sudo</pattern>
> ...
>   <patterns>
>   <rules>
>     <rule>
> ...
>     </rule>
>   </rules>
> </ruleset>
> 
> The problem is, when a sshd message is parsed, even if it doesn't match any
> rules in ruleset 'A', ruleset 'B' isn't even considered for matching.
> 
> So how do I properly organize my pdb tree, without duplicating rules in multiple
> source files?

hmm... patterns are merged, so which file the given pattern is read from
is irrelevant.

syslog-ng matches on the $PROGRAM value first (the pattern listed right
below the ruleset tag) and then the $MESSAGE value.

So it should just work (tm). If it doesn't then probably the merge
algorithm is at fault.

Could you pls create a simpler, artificial example that demonstrates the
issue so that I can reproduce it locally?

Thanks.

-- 
Bazsi