<div>I am trying to match the pattern for DC logs and here is my XML format</div><div><br></div><div>Here&#39;s the patterndb.xml file at /opt/syslog-ng/var/patterndb.xml&quot;</div><div>---------------------------------------</div>
<div><div>&lt;?xml version=&#39;1.0&#39; encoding=&#39;UTF-8&#39;?&gt;</div><div>&lt;patterndb version=&#39;3&#39; pub_date=&#39;2011-12-21&#39;&gt;</div><div>&lt;ruleset id=&#39;90c9b341f4e3d63c5ed8b29950491bf8&#39; name=&#39;Domain Ctrls&#39;&gt;</div>
<div>&lt;rules&gt;</div><div>        &lt;rule provider=&#39;localtest&#39; id=&#39;012c230f236d6a3f761ba956e7dff26a&#39; class=&#39;system&#39;&gt;</div><div>        &lt;patterns&gt;</div><div>                        &lt;pattern&gt;</div>
<div>@ESTRING:user::@ Security Microsoft Windows security auditing.: [Success Audit] A computer account was changed.    Subject:   Security ID:  S-1-5-7   Account Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon ID:  0x3e6    Computer Account That Was Changed:   Security ID:  @ESTRING::  @Account Name:   @ESTRING:<b>ACC_NAME</b>: @   Account Domain:  testdomain    Changed Attributes:   SAM Account Name: -   Display Name:  -   User Principal Name: -   Home Directory:  -   Home Drive:  -   Script Path:  -   Profile Path:  -   User Workstations: -   Password Last Set: @ESTRING:: @@ESTRING:: @   Account Expires:  -   Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value:  -   New UAC Value:  -   User Account Control: -   User Parameters: -   SID History:  -   Logon Hours:  -   DNS Host Name:  -   Service Principal Names: -    Additional Information:   Privileges:  - (EventID 4742)</div>
<div>&lt;/pattern&gt;</div><div>                    &lt;/patterns&gt;</div><div><br></div><div>&lt;/rule&gt;</div><div>&lt;/rules&gt;</div><div>&lt;/ruleset&gt;</div><div>&lt;/patterndb&gt;</div></div><div><br></div><div>
---------------------------------------</div>Here&#39;s the syslog-ng conf extract:<div>---------------------------------------</div><div><div>parser pattern_db {</div><div>            db_parser(</div><div>                file(&quot;/opt/syslog-ng/var/patterndb.xml&quot;)</div>
<div>            );</div><div>            };</div><div><div>destination patt_d{</div><div>file(&quot;/data/test/${R_YEAR}/${R_MONTH}/${R_DAY}/Domain_Ctrl__${SOURCEIP}_${R_YEAR}_${R_MONTH}_${R_DAY}.log&quot;</div><div>owner(&quot;test&quot;)</div>
<div>                group(&quot;test&quot;)</div><div>                perm(0660)</div><div>                dir-owner(&quot;test&quot;)</div><div>                dir-group(&quot;test&quot;)</div><div>                dir-perm(0770)</div>
<div>template(&quot;$<b>ACC_NAME</b>\n $MSG\n&quot;)</div><div>        );</div><div>};</div></div><div><br></div><div>---------------------------------</div><div><br></div><div>but the <b>ACC_NAME</b> returns blank, although the log contains that field.</div>
<div><br></div><div><br></div>-- <br><div>Thanks<br>Anup</div>
</div>