[syslog-ng] db-parser issues
Jakub Jankowski
shasta at toxcorp.com
Sat May 30 00:37:40 CEST 2009
Hi,
I'm having hard time getting db-parser functionality to work. This is my
syslog-ng config (omitted irrelevant stuff; some lines may be split due to
line wrappings in my MUA):
@version: 3.0
source s_sys {
file ("/proc/kmsg");
unix-stream ("/dev/log" flags(no-multi-line));
internal();
};
destination d_test {
file("/var/log/test.log"
template("$HOUR:$MIN:$SEC $TZ $HOST [$LEVEL] ${.classifier.class}
${MSGONLY} ${FOO.BAR}\n")
template_escape(no));
};
parser p_test { db-parser(file(/etc/syslog-ng/test.xml)); };
filter f_test { program("logger" type(string)); };
log { source(s_sys); filter(f_test);
parser(p_test); destination(d_test); };
My pattern db (test.xml) is as simple as:
<patterndb version='1' pub_date='2009-05-16'>
<program name='logger'>
<pattern>param</pattern>
<rules>
<rule provider='tester' id='666' class='security'>
<description>Test rule</description>
<pattern>param1=@IPV4:FOO.BAR@</pattern>
</rule>
</rules>
</program>
</patterndb>
Syslog-ng has no trouble loading it on startup, as suggested by these
lines in /var/log/messages:
May 30 00:17:37 atest1 syslog-ng[8681]: Log pattern database reloaded;
file='/etc/syslog-ng/test.xml', version='1', pub_date='2009-05-16'
May 30 00:17:37 atest1 syslog-ng[8681]: syslog-ng starting up;
version='3.0.2'
I'm testing db-parser, by issuing:
$ echo param1=1.2.3.4 param2=abcde | logger -i
$
And this is what I get in /var/log/test.log:
00:17:38 +02:00 atest1 [notice] unknown param1=1.2.3.4 param2=abcde
Clearly not what I wanted. Seems like my parser doesn't match anything, as
${FOO.BAR} is empty. Can you shed some light on my problem? Am I doing
something obviously wrong?
Db-parser functionality is neat, but it lacks documentation - I base on
Balázs' presentation and some blog posts only.
Thanks in advance,
Jakub
--
Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
More information about the syslog-ng
mailing list