ILLES, Marton a écrit :
Hi,
See my comments inline.
On Mon, 2009-10-12 at 16:32 +0200, Guillaume Rousse wrote:
Hello list.
I'm the mandriva maintainer for syslog-ng.
I'm trying to play with the pattern database, with syslog-ng 3.0.4. I rebuild the package with the attached patch, so as to use /usr/share/syslog-ng a database location (a bit more FHS-compliant than /var), and extracted the files downloaded from http://www.balabit.com/downloads/files/patterndb there.
The reason for using /var location is that the patterndb could be updated by the user, so I though /usr is not the appropriate place for such files as they could be changed by the user. For pre-packaged patterns it might be a good place on the other hand. The general idea (which is not ready yet) is to have a bunch of pattern files (for different applications and site specific ones) which are merged into one big file which is loaded by syslog-ng. This generated file would be in /var.
This merge functionality is missing from the 3.0 version and is only available in my 3.1 tree (hopefully soon merged to mainline by Bazsi). A new pdbtool is responsible for merging and other misc stuff. See my blog on this: http://marci.blogs.balabit.com/2009/08/db-parser-new-utility-pdbtool.html
I am not an FHS export so please correct me if I am wrong. /var is supposed to hold application state, not their primary data. It could be appropriate to use if syslog-ng daemon itself would write the merged database file, after loading various files from another locations. But if users are supposed to do it themselves, /usr, or /etc, would be better suited.
However, loading them fails with this message: Error parsing pattern database file; filename='/usr/share/syslog-ng/patterndb.xml', error='Unexpected <rule> element' Error reloading pattern database, no pattern recognition will be done;
It looks like some DB format issue. According to http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s06.ht...
the supported format is v1 until syslog-ng 3.0.2, and the NEWS file doesn't list any change here, while the patterndb file is already using v2. Am I correct ? And in this case, is there any way to easily convert the base to the old format ?
syslog-ng 3.0 only supports patterndb format version 1. syslog-ng 3.1 supoprts patterndb format 3. Format 3 is backward compatible with format 2, but not with format 1. The published patterns are in format 2, so you can only use if the 3.1 line. The pdbtool merge command could be used - besides merging patterns - to upgrade the patterndbs to the latest format 3. The new format provides many new features and advantages over the old one so it is probably a good idea to use it.
Regarding the published patterns we are working on reviewing and doing editorial work on them to provide a better quality as the currently published ones are generated automatically with a script from logcheck regexp based patterns and contains some errors. I try to publish them as soon as possible, but I am bit overloaded now. :( OK, thanks for the clarification. I'm waiting for OSE 3.1 release :)
-- BOFH excuse #158: Defunct processes