Hello, Apologies - I thought I had closed this thread :-/ I've just realised that when I use Fabien's example in syslog-ng the output file is still empty. I've updated the https://gist.github.com/linickx/8002981 in case the text below doesn't render. example.xml is now the correct version... [nick@localhost ~]$ pdbtool test --validate example.xml example.xml validates Testing message program='ssh' message='Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2' [nick@localhost ~]$ The syslog-ng.conf is the same (https://gist.github.com/linickx/8002981#file-syslog-ng-conf) and the net result is the output is still the same (https://gist.github.com/linickx/8002981#file-output-log) Following the previous 'pdbtool match' ... I get the following? [nick@localhost ~]$ pdbtool match -p example.xml -f testfile.log --template "${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; \n" ; ; ; ; [nick@localhost ~]$ pdbtool match -p example.xml -f testfile.log --template "${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; \n" -D -v Module loaded and initialized successfully; module='syslogformat' Module loaded and initialized successfully; module='basicfuncs' Pattern matching part: password for sampleuser from 10.50.0.247 port 42156 ssh2 Matching part: Values: MESSAGE=password for sampleuser from 10.50.0.247 port 42156 ssh2 PROGRAM=Accepted LEGACY_MSGHDR=Accepted .classifier.class=unknown TAGS=.classifier.unknown Pattern matching part: password for user from 10.51.0.27 port 4256 ssh2 Matching part: Values: MESSAGE=password for user from 10.51.0.27 port 4256 ssh2 PROGRAM=Accepted LEGACY_MSGHDR=Accepted .classifier.class=unknown TAGS=.classifier.unknown Closing log transport fd; fd='3' [nick@localhost ~]$ In my syslog-ng.conf or template, how should I be using the variables defined in the patterndb? Thanks in Advance, Nick On 17 December 2013 12:19, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Tue, Dec 17, 2013 at 12:07:41PM +0000, Nick wrote:
[1] I have added a program attribute.
Note that the "program" attribute of "test_message" needs to match the rule's "pattern" text if you want a match.
[3] I agree that the pattern is wrong, the output above shows that but
Try the following: https://gist.github.com/faxm0dem/b2c87efb098b4aba1969
[4] I assume you mean "pdbtool patternize -f testfile.log" ? I'm not sure how that helps...
Actually I meant 'pdbtool match'
Sadly, 'patternize' failed to help me in the past, maybe someone else can comment on that.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Shameless plug for google Juice: http://www.linickx.com