Hi, The syslog-ng pattern database is capable of extracting fields and classify log messages, and with well-structured name-value pairs you can achieve log normalization as well. However, currently there are not many well-written and tagged patterns available, so probably you'll have to create your own patterns. You can find some sample patterns and a preliminary schema at the following git repository: http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=summary and some other, less-detailed patterns at http://www.balabit.com/downloads/files/patterndb-snapshot/ You might also want to check Bazsi's blog (http://bazsi.blogs.balabit.com), it has a number of interesting posts about patterndb, and of course the syslog-ng adminguide, in particular: http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/concep... and http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/refere... Correlation has to be done with an external application based on the tags/fields you assign to your log messages - maybe others already using patterndb can help you with the details. Regards, Robert majid as wrote:
Hi Thanks for replying and file. I work on network management project(Correlation of logs), my big problem is log classification and extract log field(normalization of logs). Do you have any idea for it?
--- On Thu, 12/8/10, Robert Fekete <frobert@balabit.com> wrote:
From: Robert Fekete <frobert@balabit.com> Subject: Re: [syslog-ng] Pattern extraction To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, 12 August, 2010, 4:19 PM
majid as wrote:
Hi I have problem with pattern extraction from syslog messages. can anyone help me how extract patterns?
Hi, I assume you are trying to use the pattern database (db_parser()). My collegue, Peter Holtzl has written a tutorial about it that you might find useful: http://www.balabit.com/dl/white_papers/syslog-ng-v3.1-whitepaper-message-cla...
Otherwise, please let us know exactly what you are trying to do, how, and what the problem is so we can help you.
Regards,
Robert
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html