[syslog-ng] pdbtool 'patternize'
David Hauck
davidh at netacquire.com
Wed Apr 16 17:10:02 CEST 2014
Hi Péter,
Thanks to you and Robert for the extra information.
Cheers,
-David
On Wednesday, April 16, 2014 3:13 AM, Péter Gyöngyösi <gyp at balabit.hu> wrote:
> Hi David,
>
> Robert is right, the pattern version is hardcoded.Taking a glimpse at
> the patterndb v3 and v4 XSDs I think the update should indeed be
> trivial, the format is upwards compatible. I'll send a pull request
> for this change in a minute.
>
> Regarding the formatting: it uses the parsing mechanism of syslog-ng
> internally. It works just as if you specified a file() source for
> syslog-ng with
> flags(syslog-protocol) added. You can also give "--no-parse" for the
> tool which makes it parse logs just like a file() source with
> flags(no-parse). It wouldn't be too complicated to make it possible to
> use all available file source flags but I never got around doing it.
>
> cheers,
> Peter
>
> On Wed, Apr 16, 2014 at 1:40 AM, David Hauck <davidh at netacquire.com>
> wrote:
>
> Hello,
>
> Does anyone have an explanation for why a "pdbtool patternize"
> generated pattern db indicates it is version '3'? I'm running the
> latest version of syslog-ng (3.5.4.1) so I was expecting that this would produce a version '4'
> pattern db. Easy enough to change in the generated XML, just wondering
> why the latest generator wouldn't create the latest version.
>
> Also, what is the nominal format for the log messages that the
> 'patternize' command is able to process (i.e., would this be logs that
> contain the nominally formatted syslog-ng output - e.g., via the
> default
> template: template("$ISODATE $HOST $MSGHDR$MSG\n");). I've seen some
> output that appears to suggest there's some nominal decoding of the
> input log messages.
>
> Thanks,
> -David
More information about the syslog-ng
mailing list