Hi David,

Robert is right, the pattern version is hardcoded.Taking a glimpse at the patterndb v3 and v4 XSDs I think the update should indeed be trivial, the format is upwards compatible. I'll send a pull request for this change in a minute.

Regarding the formatting: it uses the parsing mechanism of syslog-ng internally. It works just as if you specified a file() source for syslog-ng with flags(syslog-protocol) added. You can also give "--no-parse" for the tool which makes it parse logs just like a file() source with flags(no-parse). It wouldn't be too complicated to make it possible to use all available file source flags but I never got around doing it.

cheers,
Peter





On Wed, Apr 16, 2014 at 1:40 AM, David Hauck <davidh@netacquire.com> wrote:
Hello,

Does anyone have an explanation for why a "pdbtool patternize" generated pattern db indicates it is version '3'? I'm running the latest version of syslog-ng (3.5.4.1) so I was expecting that this would produce a version '4' pattern db. Easy enough to change in the generated XML, just wondering why the latest generator wouldn't create the latest version.

Also, what is the nominal format for the log messages that the 'patternize' command is able to process (i.e., would this be logs that contain the nominally formatted syslog-ng output - e.g., via the default template: template("$ISODATE $HOST $MSGHDR$MSG\n");). I've seen some output that appears to suggest there's some nominal decoding of the input log messages.

Thanks,
-David
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq