Pattern Matching Issues
I am new to syslog-ng and just trying to get a basic version 1 XML pattern match file working properly. The output with an associated template is redirected to a file. It currently claims there is no such value. Does this mean that the pattern match has failed? Using syslog-ng (3.0.8) parser p_patterndb { db_parser(file("/opt/syslog-ng/var/db/patterns/v1/test.xml")); }; # Check pattern matching is working log { source(s_ext); parser(p_patterndb); <<<<< destination(df_udp_pattern_output); }; #Check pattern matching destination df_udp_pattern_output { file("/var/log/pattern_output" template("$PROGRAM,${rest},,$MSG\n") template_escape(no)); }; Output of: /opt/syslog-ng/sbin/syslog-ng -e -F -d -v > /tmp/syslog-ng.out 2>&1 Incoming log entry; line='<131>1 - - WXC-192.168.61.202 register 1102 [wx-event@juniper.net eventtime="1284626839" metric="Primary Reg Server Unreachable" sev="major" type="sys"] REG: Self registration failed. IP=192.168.61.242.' Filter rule evaluation begins; filter_rule='f_messages' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_messages' Filter rule evaluation begins; filter_rule='f_udp_nagios_check' Filter node evaluation result; filter_result='not-match' Filter rule evaluation result; filter_result='not-match', filter_rule='f_udp_nagios_check' Filter rule evaluation begins; filter_rule='wxc_all' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter rule evaluation result; filter_result='not-match', filter_rule='wxc_all' Filter rule evaluation begins; filter_rule='wxc_tunnel_info' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='wxc_tunnel_info' Filter rule evaluation begins; filter_rule='wxc_tunnel_warn' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='wxc_tunnel_warn' Filter rule evaluation begins; filter_rule='wxc_tunnel_crit' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='wxc_tunnel_crit' Filter rule evaluation begins; filter_rule='wxc_license_crit' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='wxc_license_crit' No such value known; value='rest' <<<< root@nagios-collector:/opt/syslog-ng/var/db/patterns/v1 <mailto:root@nagios-collector:/opt/syslog-ng/var/db/patterns/v1> # cat test1.xml <?xml version="1.0" encoding="utf-8"?> <patterndb version="1" pub_date="2009-04-17"> <program name="1"> <pattern>wxc</pattern> <rule id="1" class="system"> <pattern>@ANYSTRING:rest@</pattern> </rule> </program> </patterndb> root@nagios-collector:/opt/syslog-ng/var/db/patterns/v1 <mailto:root@nagios-collector:/opt/syslog-ng/var/db/patterns/v1> # Thanks Peter Imtech Telecom Global is a limited company registered in England and Wales. Registered number: GB04407184. Registered office: Viables 3, Jays Close, Basingstoke, Hampshire, RG22 4BS. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hi Peter, On Thu, Sep 16, 2010 at 10:22:34AM +0100, Peter Mills wrote:
Using syslog-ng (3.0.8)
<pattern>@ANYSTRING:rest@</pattern>
I am not so sure 'ANYSTRING' works in 3.0.x. Besides I had a lot of problems when I tried to use patterns in that version. Is there a specific reason why you require this particular version? Matthew.
Matthew, No particular requirement: Using Ubuntu and managed to come across a Debian package for this release. Which release do you suggest and where do I obtain a suitable package? Thanks Peter -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall Sent: 16 September 2010 10:31 To: Syslog-ng users' and developers' mailing list Cc: Sam Moore Subject: Re: [syslog-ng] Pattern Matching Issues Hi Peter, On Thu, Sep 16, 2010 at 10:22:34AM +0100, Peter Mills wrote:
Using syslog-ng (3.0.8)
<pattern>@ANYSTRING:rest@</pattern>
I am not so sure 'ANYSTRING' works in 3.0.x. Besides I had a lot of problems when I tried to use patterns in that version. Is there a specific reason why you require this particular version? Matthew. ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ Imtech Telecom Global is a limited company registered in England and Wales. Registered number: GB04407184. Registered office: Viables 3, Jays Close, Basingstoke, Hampshire, RG22 4BS. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Thu, Sep 16, 2010 at 10:36:06AM +0100, Peter Mills wrote:
Matthew,
No particular requirement: Using Ubuntu and managed to come across a Debian package for this release.
Which release do you suggest and where do I obtain a suitable package?
I would suggest 3.1 or up. There are debs on the Balabit site. http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3... 3.1.2 latest version is in debian unstable http://packages.debian.org/search?keywords=syslog-ng&searchon=names&suite=un... for some reason only 2.0.9 seems to be in Ubuntu. EGADS!
Thanks Peter
Matthew.
Le 16/09/2010 11:45, Matthew Hall a écrit :
for some reason only 2.0.9 seems to be in Ubuntu. EGADS! As said on Balabit blogs earlier this month [1], you can have access to latest feature release version of OSE Syslog-NG through backports for Ubuntu here :
http://packages.ubuntu.com/lucid-backports/admin/ [1] http://czanik.blogs.balabit.com/2010/09/syslog-ng-3-1-backport-arrived-for-u... BR Christophe ***************************************************** "Le contenu de ce courriel et ses eventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire. Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme sauf s'il en est disposé autrement dans le présent courriel." ******************************************************
Thanks it's working now! 1,HOST IP 192.168.61.202,- - WXC-192.168.61.202 register 1102 [wx-event@juniper.net eventtime="1284635779" metric="Primary Reg Server Unreachable" sev="major" type="sys"] REG: Self registration failed. IP=192.168.61.242. #Check pattern matching destination df_udp_pattern_output { file("/var/log/pattern_output" template("$PROGRAM,HOST IP ${.wxc.host_ip},$MSG\n") template_escape(no)); }; nagios@nagios-collector:/opt/syslog-ng/var/db/patterns/v1$ cat test.xml <?xml version="1.0" encoding="utf-8"?> <patterndb version="1" pub_date="2009-04-17"> <program name="1"> <pattern>wxc</pattern> <rule id="1" class="system"> <pattern>- - WXC-@IPv4:.wxc.host_ip@ @STRING:.wxc.process@ @NUMBER:.wxc.pid@ @QSTRING:.wxc.bracket:[]@ @STRING:.wxc.body@</pattern> </rule> </program> </patterndb> nagios@nagios-collector:/opt/syslog-ng/var/db/patterns/v1$ -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Matthew Hall Sent: 16 September 2010 10:45 To: Syslog-ng users' and developers' mailing list Cc: Sam Moore Subject: Re: [syslog-ng] Pattern Matching Issues On Thu, Sep 16, 2010 at 10:36:06AM +0100, Peter Mills wrote:
Matthew,
No particular requirement: Using Ubuntu and managed to come across a Debian package for this release.
Which release do you suggest and where do I obtain a suitable package?
I would suggest 3.1 or up. There are debs on the Balabit site. http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-editi on/3.1.2/setups 3.1.2 latest version is in debian unstable http://packages.debian.org/search?keywords=syslog-ng&searchon=names&suit e=unstable§ion=all for some reason only 2.0.9 seems to be in Ubuntu. EGADS!
Thanks Peter
Matthew. ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ Imtech Telecom Global is a limited company registered in England and Wales. Registered number: GB04407184. Registered office: Viables 3, Jays Close, Basingstoke, Hampshire, RG22 4BS. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
participants (3)
-
Christophe Brocas
-
Matthew Hall
-
Peter Mills