Hi, I have already mentioned earlier that I am planning to back-port the new db-parser patterndb format to syslog-ng OSE. After Bazsi's plan on the 4.0 roadmap I had no more excuse and did the backporting last week. So anyone interested in the new format can find the code in my git tree. Format 2 is more flexible and hopefully easier to use. Meanwhile I removed support for version 1 format. Converting between the formats is very straight forward, but I also plan to add an XSLT for conversions. The new format has support and flexibility for couple of interesting things: * rules for one program can be separated into multiple rulesets * rulesets can be defined without program pattern where these act as a fail-back rule sets if no program pattern is matching or when message does not have program part * one rule can have any number of pattern attached to it (sometimes the same message has multiple format, just think about multilingual messages) * tags can be attached to rules (IMPORTANT: as of now tags are not considered, but at least the format has place for them!) The new patterndb format looks like this: <patterndb version="2" pub_date="2009-06-04"> <ruleset name="testset" id="4182799f-9d1e-48a2-aa1e-aa4bdac6aff8"> <rules> <rule provider="balabit" id="4a3b027a-3c5c-4c55-a28b-ce8052e8a327" class="system"> <tags> <tag>login</tag> </tags> <patterns> <pattern>HERE COMES THE PATTERN</pattern> </patterns> </rule> </rules> </patterndb> I have added new parsers to the db-parser: * IPv6 to parser IPv6 addresses with all the special notation styles * IPvANY to match either IPv4 or IPv6 addresses * NUMBER parser now handles hexadecimal numbers with the 0x or 0X prefix * DOUBLE parser to match and parse non integer I am trying to find some time in the near future to add the missing tag support and provide some more details on the new format. cheers, Marton -- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D