It would appear that you have everything correct when the "PROGRAM" is ESXI but the log line as syslog-ng sees it has a PROGRAM of "system" according to your test log output. If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work. Evan Rempel 250.271.7691 University Systems, University of Victoria 不坏阿峰 <onlydebian@gmail.com> wrote: when use pdbtool do match test, it is success. but from syslog-ng can not return result of macro i can not get macro result. for example, ${.esxi.month} no value, same as ${.esxi.host_ip} ${.esxi.time} test log output ,just like this. === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , === system,error,critical, HOST IP , do the pdbtool test, it's ok. wish someone can give me some solution and help. i have search some mail list but i can not get the right solution. thanks a lot. root@debian:~# pdbtool match -D -c -p /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE" Pattern matching part: @STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@ @STRING:.esxi.time=15:17:31@ @IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program= vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@ @ANYSTRING:.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@ Matching part: Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE Values: MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE PROGRAM=ESXI .classifier.class=esxi .classifier.rule_id=182437592347598 .esxi.month=Apr .esxi.date=26 .esxi.time=15:17:31 .esxi.host_ip=192.168.88.71 .esxi.program= vmkernel .esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE root@debian:~# my configuration like as below ######## esxi_pattern.xml ############ <?xml version="1.0" encoding="utf-8"?> <patterndb version='3' pub_date='2009-04-17'> <ruleset name='esxi' id='123456678'> <pattern>ESXI</pattern> <rules> <rule provider='Fone Bro' id='182437592347598' class='esxi'> <patterns> <pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@ @STRING:.esxi.time::@ @IPv4:.esxi.host_ip:@@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> ######## syslog-ng.conf ######## #####Parser##### parser pattern_db { db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml")); }; #Check pattern matching destination udp_esxi_output { file("/var/log/pattern_output" template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST IP ${.esxi.host_ip},${.esxi.message}\n") template_escape(no)); }; #####Log##### log { source(s_network); parser(pattern_db); destination(udp_esxi_output); };