<div dir="ltr">Is 3.5.6 OSE still the latest stable version or anything higher ??</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">You can always use pdbtool match to debug and match messages against a patterndb database.</p>
<p dir="ltr">It even colorizes output how far a message matched.</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Oct 3, 2014 10:35 AM, "Fabien Wernli" <<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Justin,<br>
<br>
First things first, your patterndb file doesn't validate.<br>
You should always test and validate the files using<br>
`pdbtool test --validate <file.pdb>`. You have to put the text of your<br>
example in a `<test_message>` element, without forgetting the `program`:<br>
<br>
<examples><br>
<example><br>
<test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message><br>
</example><br>
</examples><br>
<br>
Now this probably doesn't explain why the parser doesn't match your messages.<br>
<br>
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:<br>
> * cat messagesAuth.2014.10.02.16unknown|unknown|*<br>
<br>
this means your message correctly made it to the pattern parser, but didn't<br>
match any rule.<br>
What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng<br>
-Fvd` so you'll also get debugging information. Please post the relevant<br>
info from the output, if you don't figure it out by yourself.<br>
<br>
Cheers<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Kaladhar</div>
</div>