Hi guys,<br /><br />I have following situation - I can parse with pdbtool bellow message successfully but when I parse it through syslog-ng.conf and put .classifier.class in DB I got &quot;unknown&quot; in the field where is placed .classifier.class or nothing when put the value FailedLogin_USERNAME in the table.<br />Please see my syslog-ng.conf file below.<br /><br />Please help me to find the mistake. Thank you.<br /><br />Kosta<br /><br />Values:<br />MESSAGE=Sep 13 17:34:00 server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf from x.x.x.x port 3602 ssh2<br />PROGRAM=ssh<br />.classifier.class=violation<br />.classifier.rule_id=ssh-failed<br />FailedLogin_MONTH=Sep<br />FailedLogin_DATE=13<br />FailedLogin_TIME=17:34:00<br />FailedLogin_SERVER=server1<br />FailedLogin_SERVICE.ID2=sshd[20981]:<br />FailedLogin_USERNAME=dfgdf<br />FailedLogin_SOURCE_IP=x.x.x.x<br />FailedLogin_SOURCE.PORT=3602<br />kosta@Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p /opt/syslog-ng/var/login.parser.new.xml -P &quot;ssh&quot; -M &quot;Sep 13 17:34:00 server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf from x.x.x.x port 3602 ssh2&quot;<br /><br /><br />&lt;rule provider=&#39;balabit&#39; id=&#39;ssh-failed&#39; class=&#39;violation&#39;&gt;<br />&lt;patterns&gt;<br />&lt;pattern&gt;@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE: @@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER: @@ESTRING:FailedL$<br />&lt;/patterns&gt;<br />&lt;/rule&gt;<br /><br /><br /><br /><br /><br /><br /><br /><br />################<br /># DESTINATIONS #<br />################<br /><br />destination d_mssql_unix {<br />sql(type(mssql) host(&quot;medea.mobiltel.bg&quot;) port(&quot;1433&quot;)<br />username(&quot;syslog_ng&quot;) password(&quot;nglogp@ss&quot;) database(&quot;SysLog&quot;)<br />table(&quot;SYSLOG_unix1&quot;)columns(&quot;Date varchar(40)&quot;, &quot;Time varchar(16)&quot;, &quot;SourceServer varchar(8)&quot;, &quot;SendingProgram varchar(5)&quot;, &quot;PID varchar(6)$<br />values(&quot;$DATE_&quot;, &quot;$TIME_&quot;, &quot;$HOST&quot;, &quot;$PROGRAM&quot;, &quot;$PID&quot;, &quot;${.classifier.class}&quot;));<br />};<br /><br />###############<br />#   PARSER    #<br />###############<br /><br />parser pattern_db {<br />db_parser(file(&quot;/opt/syslog-ng/var/login.parser.new.xml&quot;));<br />};<br /><br />parser DateTime {<br />csv-parser(columns(&quot;DATE_&quot;, &quot;TIME_&quot;)<br />delimiters(&quot;T&quot;)<br />flags(escape-none)<br />template(&quot;${ISODATE}&quot;));<br />};<br /><br /><br />###############<br />#     LOG     #<br />###############<br /><br />log {<br />source(s_net);<br />parser (DateTime);<br />parser(pattern_db);<br />destination(d_mssql_unix);<br />destination(d_messages_successful);<br />};