thanks to your reply. i do not understand how to do now. it puzzle and trouble me some days. i read the balabit syslog-ng OSE guide documents and only have simple information in there. how to do on this ----->>>> If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work. 2013/4/28 <syslog-ng-request@lists.balabit.hu>
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze) (????) 2. Re: Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze) (Evan Rempel)
----------------------------------------------------------------------
Message: 1 Date: Sat, 27 Apr 2013 22:34:50 +0800 From: ???? <onlydebian@gmail.com> Subject: [syslog-ng] Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze) To: syslog-ng@lists.balabit.hu Message-ID: <CA+SSH2oBB2-WWvQksbchVVoyhfZbdVvDR= V7wJ1EJdvE6Zx9zg@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
when use pdbtool do match test, it is success. but from syslog-ng can not return result of macro i can not get macro result. for example, ${.esxi.month} no value, same as ${.esxi.host_ip} ${.esxi.time}
test log output ,just like this. === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP ,
do the pdbtool test, it's ok. wish someone can give me some solution and help. i have search some mail list but i can not get the right solution. thanks a lot.
root@debian:~# pdbtool match -D -c -p /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE" Pattern matching part: @STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@ @STRING:.esxi.time=15:17:31@@IPv4:.esxi.host_ip=192.168.88.71@ @ESTRING:.esxi.program= vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@@ANYSTRING:.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@ Matching part: Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE Values: MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE PROGRAM=ESXI .classifier.class=esxi .classifier.rule_id=182437592347598 .esxi.month=Apr .esxi.date=26 .esxi.time=15:17:31 .esxi.host_ip=192.168.88.71 .esxi.program= vmkernel .esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE root@debian:~#
my configuration like as below
######## esxi_pattern.xml ############ <?xml version="1.0" encoding="utf-8"?> <patterndb version='3' pub_date='2009-04-17'> <ruleset name='esxi' id='123456678'> <pattern>ESXI</pattern> <rules> <rule provider='Fone Bro' id='182437592347598' class='esxi'> <patterns> <pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@ @STRING:.esxi.time::@@IPv4:.esxi.host_ip:@ @ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb>
######## syslog-ng.conf ########
#####Parser##### parser pattern_db { db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml")); };
#Check pattern matching destination udp_esxi_output { file("/var/log/pattern_output" template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST IP ${.esxi.host_ip},${.esxi.message}\n") template_escape(no)); };
#####Log##### log { source(s_network); parser(pattern_db); destination(udp_esxi_output); };