thanks to your reply.  i do not understand how to do now. it puzzle and trouble me some days.   i read the balabit syslog-ng OSE guide documents and only have simple information in there.

how to do on this
----->>>>
If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work.


2013/4/28 <syslog-ng-request@lists.balabit.hu>
Send syslog-ng mailing list submissions to
        syslog-ng@lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
        syslog-ng-request@lists.balabit.hu

You can reach the person managing the list at
        syslog-ng-owner@lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."


Today's Topics:

   1.  Can not get DBParse match macro result (syslog-ng 3.13
      debian squeeze) (????)
   2. Re:  Can not get DBParse match macro result (syslog-ng 3.13
      debian squeeze) (Evan Rempel)


----------------------------------------------------------------------

Message: 1
Date: Sat, 27 Apr 2013 22:34:50 +0800
From: ???? <onlydebian@gmail.com>
Subject: [syslog-ng] Can not get DBParse match macro result (syslog-ng
        3.13    debian squeeze)
To: syslog-ng@lists.balabit.hu
Message-ID:
        <CA+SSH2oBB2-WWvQksbchVVoyhfZbdVvDR=V7wJ1EJdvE6Zx9zg@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

when use pdbtool do match test, it is success. but from syslog-ng can not
return result of macro
i can not get macro result.  for example,   ${.esxi.month}  no value, same
as ${.esxi.host_ip} ${.esxi.time}

test log output ,just like this.
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,


do the pdbtool test, it's ok.  wish someone can give me some solution and
help. i have search some mail list but i can not get the right solution.
 thanks a lot.

root@debian:~# pdbtool match -D -c -p
/etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31
192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd
0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path
"vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
Act:NONE"
Pattern matching part:
@STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@
@STRING:.esxi.time=15:17:31@@IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program=
vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
(0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
Act:NONE@@ANYSTRING:.esxi.message=cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd
0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
Matching part:
Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
sense data: 0x5 0x20 0x0. Act:NONE
Values:
MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
sense data: 0x5 0x20 0x0. Act:NONE
PROGRAM=ESXI
.classifier.class=esxi
.classifier.rule_id=182437592347598
.esxi.month=Apr
.esxi.date=26
.esxi.time=15:17:31
.esxi.host_ip=192.168.88.71
.esxi.program= vmkernel
.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
(0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
root@debian:~#


my configuration like as below

########   esxi_pattern.xml ############
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>ESXI</pattern>
<rules>
<rule provider='Fone Bro' id='182437592347598' class='esxi'>
<patterns>
<pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@
@STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>

######## syslog-ng.conf      ########

#####Parser#####
parser pattern_db {
        db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
};

#Check pattern matching
destination udp_esxi_output {
   file("/var/log/pattern_output"
   template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST
IP ${.esxi.host_ip},${.esxi.message}\n")
template_escape(no));
};

#####Log#####
log {
        source(s_network);
        parser(pattern_db);
        destination(udp_esxi_output);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/20e80756/attachment.html

------------------------------

Message: 2
Date: Sat, 27 Apr 2013 16:10:02 +0000
From: Evan Rempel <erempel@uvic.ca>
Subject: Re: [syslog-ng] Can not get DBParse match macro result
        (syslog-ng 3.13 debian squeeze)
To: "Syslog-ng users' and developers' mailing list"
        <syslog-ng@lists.balabit.hu>
Message-ID: <q8vb966l4qe0219lsusm5ju4.1367078999747@email.android.com>
Content-Type: text/plain; charset="iso-2022-jp"

It would appear that you have everything correct when the "PROGRAM" is ESXI but the log line as syslog-ng sees it has a PROGRAM of "system" according to your test log output.

If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work.


Evan Rempel   250.271.7691
University Systems, University of Victoria

???? <onlydebian@gmail.com> wrote:



when use pdbtool do match test, it is success. but from syslog-ng can not return result of macro
i can not get macro result.  for example,   ${.esxi.month}  no value, same as ${.esxi.host_ip} ${.esxi.time}

test log output ,just like this.
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,
=== system,error,critical,   HOST IP ,


do the pdbtool test, it's ok.  wish someone can give me some solution and help. i have search some mail list but i can not get the right solution.  thanks a lot.

root@debian:~# pdbtool match -D -c -p /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE"
Pattern matching part:
@STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@ @STRING:.esxi.time=15:17:31@ @IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program= vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@ @ANYSTRING:.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
Matching part:
Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
Values:
MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
PROGRAM=ESXI
.classifier.class=esxi
.classifier.rule_id=182437592347598
.esxi.month=Apr
.esxi.date=26
.esxi.time=15:17:31
.esxi.host_ip=192.168.88.71
.esxi.program= vmkernel
.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
root@debian:~#


my configuration like as below

########   esxi_pattern.xml ############
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>ESXI</pattern>
<rules>
<rule provider='Fone Bro' id='182437592347598' class='esxi'>
<patterns>
<pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@ @STRING:.esxi.time::@ @IPv4:.esxi.host_ip:@@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>

######## syslog-ng.conf      ########

#####Parser#####
parser pattern_db {
        db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
};

#Check pattern matching
destination udp_esxi_output {
   file("/var/log/pattern_output"
   template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST IP ${.esxi.host_ip},${.esxi.message}\n")
template_escape(no));
};

#####Log#####
log {
        source(s_network);
        parser(pattern_db);
        destination(udp_esxi_output);
};

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/2f67c039/attachment-0001.htm

------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng


End of syslog-ng Digest, Vol 96, Issue 25
*****************************************