Hi, it seems to be a bit odd that your original pattern is not working, it might be some quirk with the STRING parser. However, using a QSTRING parser should be better in your case, as it is generally faster than the STRING parser, and more suitable for this message part, like this: <pattern>syslog-ng shutting down; version=@QSTRING::'@</pattern> Regards, Robert On Wednesday, July 21, 2010 18:07 CEST, "Ilas, Yann" <yann.ilas@eads.com> wrote:

I have a question about the parser using the db_parser and xml file. I'm currently using the version 3.1.1 of syslog-ng.

Here is the xml file named "syslog-ng.xml" : <?xml version='1.0' encoding='UTF-8'?> <patterndb version='3' pub_date='2010-07-21'> <ruleset name='syslog-ng' id='syslog-ng-01'> <pattern>syslog-ng</pattern> <rules> <rule provider='yann' id='syslog:server:0123456789:id001' class='system'> <patterns> <pattern>syslog-ng shutting down; version='@STRING::@'</pattern> <examples> <example> <test_message>syslog-ng shutting down; version='3.1.1'</test_message> </example> </examples> <values> <value name=".classifier.facility">syslog</value> <value name=".classifier.severity">notice</value> <value name=".classifier.priority">45</value> </values> </patterns> </rule> </rules> </ruleset> </patterndb>

I would like to test that configuration with the following message "syslog-ng shutting down; version='3.1.1'" by using pdbtool.

# /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version='3.1.1'" MESSAGE=syslog-ng shutting down; version='3.1.1' PROGRAM=syslog-ng .classifier.class=unknown

The result is odd because my message seems to be right... I suspect the quotes so I remove the quotes in the xml file.

Let's try again with the same message without quotes : (...) <pattern>syslog-ng shutting down; version=@STRING::@</pattern> (...)

Test: # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version=3.1.1" MESSAGE=syslog-ng shutting down; version=3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45

It works.

What's wrong with my message ? I tried to remove the second quote in the xml file like this : (...) <pattern>syslog-ng shutting down; version='@STRING::@</pattern> (...)

Test : # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version='3.1.1" MESSAGE=syslog-ng shutting down; version='3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45

I have the same result if I changed my xml file like this : (...) <pattern>syslog-ng shutting down; version=''@STRING::@</pattern> (...)

Test : # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M "syslog-ng shutting down; version=''3.1.1" MESSAGE=syslog-ng shutting down; version=''3.1.1 PROGRAM=syslog-ng .classifier.class=system .classifier.rule_id=syslog:server:0123456789:id001 .classifier.facility=syslog .classifier.severity=notice .classifier.priority=45

Can't I have a message like this one 'texttexttext' ? Or did I miss something ?

Last test : I change the xml file like this : (...) <pattern>syslog-ng shutting down; version='3.1.1'</pattern> (...) => I remove the @STRING::@ and the pdbtool returned the .classifier.facility, .classifier.severity, etc.

May I use @STRING::@ between two simple quotes ?

Regards,

Yann I.