<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Sorry for bombarding the mailing list with questions. I have been working through the documentation but just seem to keep hitting obstacles. I have compared this to the examples in the manual and some samples I was able to track down, but Im not seeing where I am going wrong. For this question, I am working with the following data:<div><br></div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>"MESSAGE" : "RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0",</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>"PROGRAM" : "RT_FLOW"</div></div><div><br></div><div>Based on this , I have generated the following pattern database and config just to see if I am heading down the right path. Unfortunately, what I thought would generate a pattern match on the logs and generate the appropriate macros, are not retuning anything. I have also tried taking out the $PROGRAM patter, but that did not seem to help. I have also validated this with pdbtool and it succeeds. </div><div><br></div><div>Any help is greatly appreciated</div><div>Chris</div><div><br></div><div><i>patterndb.xml</i></div><div><br></div><div><div><div><patterndb version='3' pub_date='2011-02-11'></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><ruleset name='session_close' id='123456678'></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><rules></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><rule provider='cj' id='182437592347598' class='session'></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><patterns></div><div><span class="Apple-tab-span" style="white-space:pre"> </span><pattern></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>@ESTRING:TEST1:::@ @ANYSTRING:TEST2@</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></pattern></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></patterns></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></rule></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></rules></div><div><span class="Apple-tab-span" style="white-space:pre"> </span></ruleset></div><div></patterndb></div></div></div><div><br></div><div><br></div><div><i>syslog-ng.conf</i></div><div><br></div><div><div>#####Destinations#####</div><div>destination d_mongodb {</div><div> mongodb(</div><div> value-pairs(</div><div> key("TEST1")</div><div> key("TEST2")</div><div> scope("base")</div><div> )</div><div> );</div><div>};</div><div><br></div><div>#####Parser#####</div><div>parser pattern_db {</div><div> db_parser(</div><div> file("/usr/local/etc/patterndb.xml")</div><div> );</div><div>};</div></div><div><br></div><div><div>#####Log#####</div><div>log {</div><div> source(s_network);</div><div> parser(pattern_db);</div><div> destination(d_mongodb);</div><div>};</div></div><div><br></div><div><br></div><div>Unfortunately, what I thought would pattern match and generate a macro for </div></body></html>