[syslog-ng] db-parser issues

Jakub Jankowski shasta at toxcorp.com
Sat May 30 00:37:40 CEST 2009


Hi,

I'm having hard time getting db-parser functionality to work. This is my 
syslog-ng config (omitted irrelevant stuff; some lines may be split due to 
line wrappings in my MUA):

@version: 3.0
source s_sys {
  file ("/proc/kmsg");
  unix-stream ("/dev/log" flags(no-multi-line));
  internal();
};
destination d_test {
  file("/var/log/test.log"
    template("$HOUR:$MIN:$SEC $TZ $HOST [$LEVEL] ${.classifier.class} 
${MSGONLY} ${FOO.BAR}\n")
    template_escape(no));
};
parser p_test  { db-parser(file(/etc/syslog-ng/test.xml)); };
filter f_test { program("logger" type(string)); };
log { source(s_sys); filter(f_test); 
      parser(p_test); destination(d_test); };

My pattern db (test.xml) is as simple as:

<patterndb version='1' pub_date='2009-05-16'>
 <program name='logger'>
  <pattern>param</pattern>
  <rules>
   <rule provider='tester' id='666' class='security'>
    <description>Test rule</description>
     <pattern>param1=@IPV4:FOO.BAR@</pattern>
   </rule>
  </rules>
 </program>
</patterndb>

Syslog-ng has no trouble loading it on startup, as suggested by these 
lines in /var/log/messages:

May 30 00:17:37 atest1 syslog-ng[8681]: Log pattern database reloaded; 
file='/etc/syslog-ng/test.xml', version='1', pub_date='2009-05-16'
May 30 00:17:37 atest1 syslog-ng[8681]: syslog-ng starting up; 
version='3.0.2'


I'm testing db-parser, by issuing:

$ echo param1=1.2.3.4 param2=abcde | logger -i
$

And this is what I get in /var/log/test.log:

00:17:38 +02:00 atest1 [notice] unknown param1=1.2.3.4 param2=abcde

Clearly not what I wanted. Seems like my parser doesn't match anything, as 
${FOO.BAR} is empty. Can you shed some light on my problem? Am I doing 
something obviously wrong?
Db-parser functionality is neat, but it lacks documentation - I base on 
Balázs' presentation and some blog posts only.


Thanks in advance,
 Jakub

-- 
Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D



More information about the syslog-ng mailing list