x-posted from ELSA mailing list; no replies there so please excuse the noise. I am trying to add an additional ASA log message that is unclassified in ELSA. To make a long story short, *nothing" seems to be matching with pdbtool. Here is the line I am trying to work with: Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp inside/1.2.3.4(64576) -> outside/5.6.7.8(80) hit-cnt 1 first hit [0x59bca63e, 0x620e5b55] Putting that aside for the moment since I can't get it to work, I went straight to the syslog-ng docs (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guid...) and used the example. I created /etc/elsa/patterns.d/test.xml with this content: <patterndb version='4' pub_date='2010-10-17'> <ruleset name='ssh' id='123456678'> <pattern>ssh</pattern> <rules> <rule provider='me' id='182437592347598' class='system'> <patterns> <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @ for@QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> I then tested with this line: /usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2" The result is this: MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2 .classifier.class=unknown Details are: [root@hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V syslog-ng 3.2.4 Installer-Version: 3.2.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6 Compile-Date: May 23 2012 09:58:14 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: on Enable-Pacct: off [root@hostname elsa]# cat /etc/redhat-release Oracle Linux Server release 6.5 Thank you in advance.