I have a question about the parser using the db_parser and xml file. I'm currently using the version 3.1.1 of syslog-ng. Here is the xml file named "syslog-ng.xml" : <?xml version='1.0' encoding='UTF-8'?> <patterndb version='3' pub_date='2010-07-21'> <ruleset name='syslog-ng' id='syslog-ng-01'> <pattern>syslog-ng</pattern> <rules> <rule provider='yann' id='syslog:server:0123456789:id001' class='system'> <patterns> <pattern>syslog-ng shutting down; version='@STRING::@'</pattern> <examples> <example> <test_message>syslog-ng shutting down; version='3.1.1'</test_message> </example> </examples> <values> <value name=".classifier.facility">syslog</value> <value name=".classifier.severity">notice</value> <value name=".classifier.priority">45</value> </values> </patterns> </rule> </rules> </ruleset> </patterndb> I would like to test that configuration with the following message "syslog-ng shutting down; version='3.1.1'" by using pdbtool. # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version='3.1.1'" MESSAGE=syslog-ng shutting down; version='3.1.1' PROGRAM=syslog-ng .classifier.class=unknown The result is odd because my message seems to be right... I suspect the quotes so I remove the quotes in the xml file. Let's try again with the same message without quotes : (...) <pattern>syslog-ng shutting down; version=@STRING::@</pattern> (...) Test: # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version=3.1.1" MESSAGE=syslog-ng shutting down; version=3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45 It works. What's wrong with my message ? I tried to remove the second quote in the xml file like this : (...) <pattern>syslog-ng shutting down; version='@STRING::@</pattern> (...) Test : # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version='3.1.1" MESSAGE=syslog-ng shutting down; version='3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45 I have the same result if I changed my xml file like this : (...) <pattern>syslog-ng shutting down; version=''@STRING::@</pattern> (...) Test : # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version=''3.1.1" MESSAGE=syslog-ng shutting down; version=''3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45 Can't I have a message like this one 'texttexttext' ? Or did I miss something ? Last test : I change the xml file like this : (...) <pattern>syslog-ng shutting down; version='3.1.1'</pattern> (...) => I remove the @STRING::@ and the pdbtool returned the .classifier.facility, .classifier.severity, etc. May I use @STRING::@ between two simple quotes ? Regards, Yann I.