On Tue, 2013-11-26 at 13:56 +0100, Fabien Wernli wrote:
Hi,
I'm currently organizing my patterndb files into something easily maintainable, and I ran into the following problem, best explained using an example: sshd and pam_unix.
Some of sshd specific patterns reside in a specific ruleset, e.g.
<ruleset name='sshd' id='A'> <patterns> <pattern>sshd</pattern </patterns> <rules> <rule> ... </rule> </rules> </ruleset>
Some of sshd's messages come from pam_unix, e.g. modules/pam_unix/support.c, and are shared among other daemons:
<ruleset name='pam_unix' id='B'> <patterns> <pattern>crond</pattern> <pattern>imap</pattern> <pattern>login</pattern> <pattern>pam</pattern> <pattern>pure-ftpd</pattern> <pattern>proftpd</pattern> <pattern>sshd</pattern> <pattern>su</pattern> <pattern>sudo</pattern> ... <patterns> <rules> <rule> ... </rule> </rules> </ruleset>
The problem is, when a sshd message is parsed, even if it doesn't match any rules in ruleset 'A', ruleset 'B' isn't even considered for matching.
So how do I properly organize my pdb tree, without duplicating rules in multiple source files?
hmm... patterns are merged, so which file the given pattern is read from is irrelevant. syslog-ng matches on the $PROGRAM value first (the pattern listed right below the ruleset tag) and then the $MESSAGE value. So it should just work (tm). If it doesn't then probably the merge algorithm is at fault. Could you pls create a simpler, artificial example that demonstrates the issue so that I can reproduce it locally? Thanks. -- Bazsi