[syslog-ng] New db-parser format and other improvements

ILLES, Marton illes.marton at balabit.hu
Fri Jun 5 14:52:15 CEST 2009 

Hi,

I have already mentioned earlier that I am planning to back-port the new
db-parser patterndb format to syslog-ng OSE. After Bazsi's plan on the
4.0 roadmap I had no more excuse and did the backporting last week. So
anyone interested in the new format can find the code in my git tree.

Format 2 is more flexible and hopefully easier to use. Meanwhile I
removed support for version 1 format. Converting between the formats is
very straight forward, but I also plan to add an XSLT for conversions.

The new format has support and flexibility for couple of interesting
things:
        
        
      * rules for one program can be separated into multiple rulesets
      * rulesets can be defined without program pattern where these act
        as a fail-back rule sets if no program pattern is matching or
        when message does not have program part
      * one rule can have any number of pattern attached to it
        (sometimes the same message has multiple format, just think
        about multilingual messages)
      * tags can be attached to rules (IMPORTANT: as of now tags are not
        considered, but at least the format has place for them!)


The new patterndb format looks like this:

<patterndb version="2" pub_date="2009-06-04">
 <ruleset name="testset" id="4182799f-9d1e-48a2-aa1e-aa4bdac6aff8">
  <rules>
   <rule provider="balabit" id="4a3b027a-3c5c-4c55-a28b-ce8052e8a327" class="system">
     <tags>
      <tag>login</tag>
    </tags>
    <patterns>
     <pattern>HERE COMES THE PATTERN</pattern>
    </patterns>
   </rule>
  </rules>
</patterndb>

I have added new parsers to the db-parser:
        
        
      * IPv6 to parser IPv6 addresses with all the special notation
        styles
      * IPvANY to match either IPv4 or IPv6 addresses
      * NUMBER parser now handles hexadecimal numbers with the 0x or 0X
        prefix
      * DOUBLE parser to match and parse non integer

I am trying to find some time in the near future to add the missing tag
support and provide some more details on the new format.

cheers,
Marton
-- 
Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D

More information about the syslog-ng mailing list