Hello,

I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format:

Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010

Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010

Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010

The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.

How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule.

I have the same problem with switches from Alcatel...

Regards,

Yann I.