Re: [syslog-ng] unable to use multiple application patterns per ruleset

13 Mar 2012


      Anyone? Is this a known bug?

On Mar 8, 2012, at 3:51 PM, Kurt Yoder wrote:
...
Hi list,
Using patterndb, has anyone successfully used multiple application patterns per ruleset? I have the following:
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2012-03-08'>
 <ruleset name='rdc-pam' id='rdc-pam'>
   <patterns>
     <pattern>blahblah</pattern>
     <pattern>sshd</pattern>
   </patterns>
   <rules>
<rule class='system' id='pam_session_opened_for_user_by_uid' provider='rdc'>
     <description></description>
       <patterns>
         <pattern>pam_unix(sshd:session): session opened for user kurt by (uid=0)</pattern>
       </patterns>
       <values>
       </values>
       <tags>
        <tag>rdc.alert.ok</tag>
       </tags>
     </rule>
   </rules>
 </ruleset>
</patterndb>
As soon as I remove "<pattern>blahblah</pattern>", or move it below "<pattern>sshd</pattern>", this rule starts matching events. When I add it back, it stops matching events.
The documentation at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... says (incidentally, the closing "<patterns>" in this example should instead read "</patterns>"):
"
Specifying multiple patterns is useful if two or more applications have different names (that is, different $PROGRAM fields), but otherwise send identical log messages.
<patterns>
   <pattern>firstapplication</pattern>
   <pattern>otherapplication</pattern>
<patterns>
This is exactly what I am trying to do, but it does not appear to work as documented.
I manually backported my syslog-ng from Ubuntu Oneiric:
$ syslog-ng --version
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: Jan 19 2012 02:57:58
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off
Can anyone offer a suggestion toward making this work?
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq