<div dir="ltr"><div><div><div><div>Hi David!<br><br></div>If a log message does not match any pattern for a parser, syslog-ng db-parser sets its .classifier.class to "unknown" regardless of the field's previous state. So if it matched on a previous parser, the next parser will overwrite it if it doesn't match on that. I think it's a bug rather than a feature, so could you please open an issue for that on github? <br>
<br></div>You can merge patterndb .pdb files easily with "pdbtool merge" command, which is shipped with syslog-ng. It's simpler than having junctions :).<br><br></div>Best Regards,<br></div>Viktor<br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 9:52 PM, David Hauck <span dir="ltr"><<a href="mailto:davidh@netacquire.com" target="_blank">davidh@netacquire.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Robert,<br>
<div class=""><br>
On Friday, April 11, 2014 12:19 PM, <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> wrote:<br>
> Hi,<br>
><br>
> I guess the problem is that patterndb parsers were not thought to be<br>
> used this way, and each parser sets the .classifier.class value based<br>
> on its own rules, overwriting any previous values. Consequently,<br>
> merging the patterndbs into a single file would definitely work.<br>
<br>
</div>As it turns out all of the pattern DBs here (these are just the stock files from: <a href="https://github.com/balabit/syslog-ng-patterndb" target="_blank">https://github.com/balabit/syslog-ng-patterndb</a>) define the same 'class' (so the results of .classifier.class should always be 'system' after running through each of the parsers, no?).<br>
<div class=""><br>
> Another option could be a variant of your second idea: you use a<br>
> single log statement, and embed the parsers into a junction, where<br>
> each channel of the junction contains a filter (to process only the<br>
> messages that the parser can parse), and one of the parsers.<br>
> Something like:<br>
> log {<br>
> filter(f_auth);<br>
> junction{<br>
> channel {filter (program(sshd)); parser("sshd");}<br>
> channel {filter (program(sudo)); parser("sudo");} ....<br>
> }<br>
> }<br>
<br>
</div>Thanks, I've tried this and it does appear to address this problem (notwithstanding the fact I mention above, where each pattern file specifies the same .classifier.class value).<br>
<br>
I'm going to follow-up with another question related to boolean filters and embedded log statements since some of the follow-on filtering criteria now appears unexplainable.<br>
<br>
Thanks,<br>
-David<br>
<div><div class="h5"><br>
> Robert<br>
><br>
> On Friday, April 11, 2014 19:18 CEST, David Hauck<br>
> <<a href="mailto:davidh@netacquire.com">davidh@netacquire.com</a>> wrote:<br>
><br>
>> Hello,<br>
>><br>
>> I've only recently dug into some more intricate 'syslog-ng'<br>
>> configurations<br>
> and had a question regarding 'log' construct blocks where multiple 'parser'<br>
> references exist. I've been trying to do something like the following<br>
> (testing with the supplied example pattern databases):<br>
>><br>
>> log {<br>
>> filter(f_auth);<br>
>> parser("login");<br>
>> parser("sshd");<br>
>> parser("su");<br>
>> parser("sudo");<br>
>> log {<br>
>> filter(f_class_system);<br>
>> ...<br>
>> };<br>
>> };<br>
>><br>
>> The problem I'm having is that extracted values from matched rules<br>
>> appear<br>
> to be lost when the matched rule exists in a pattern db *other than<br>
> the last referenced parser() db*. Specifically, if a rule is matched<br>
> in the 'sshd' db above the following 'f_class_system' filter (which<br>
> attempts to match<br>
> '.classifier.class') *does not* match; however, if a rule is matched<br>
> in the 'sudo' db above the 'f_class_system' filter *does* match.<br>
>><br>
>> I'm sure this is perfectly explainable, but I can't find any<br>
> documentation/Google references specifically outlining this behaviour.<br>
> Given the above and in order to work around this I assume I would have<br>
> to, either: 1) combine all of the rules into a single db file, or 2)<br>
> break out each 'parser' reference into a separate embedded 'log'<br>
> construct (not ideal since the filtering et mechanics in each would be<br>
> identical and for maintenance reasons I'd like to consolidate these into<br>
> a single 'log' construct). Both options are less than ideal. Is there a<br>
> better way?<br>
>><br>
>> Really appreciate any help you might be able to offer.<br>
>><br>
>> Thanks,<br>
>> -David<br>
>><br>
> __________________________________________________________<br>
> ____________<br>
</div></div>>> ________ Member info:<br>
<div class="">>> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>> Documentation:<br>
>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
>><br>
>><br>
><br>
><br>
><br>
><br>
><br>
><br>
> __________________________________________________________<br>
</div>> ____________________ Member info:<br>
<div class="HOEnZb"><div class="h5">> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a> FAQ:<br>
> <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>