Jakub Jankowski shasta at toxcorp.com
Sat May 30 00:37:40 CEST 2009


I'm having hard time getting db-parser functionality to work. This is my 
syslog-ng config (omitted irrelevant stuff; some lines may be split due to 
line wrappings in my MUA):

@version: 3.0
source s_sys {
  file ("/proc/kmsg");
  unix-stream ("/dev/log" flags(no-multi-line));
destination d_test {
    template("$HOUR:$MIN:$SEC $TZ $HOST [$LEVEL] ${.classifier.class} 
parser p_test  { db-parser(file(/etc/syslog-ng/test.xml)); };
filter f_test { program("logger" type(string)); };
log { source(s_sys); filter(f_test); 
      parser(p_test); destination(d_test); };

My pattern db (test.xml) is as simple as:

<patterndb version='1' pub_date='2009-05-16'>
 <program name='logger'>
   <rule provider='tester' id='666' class='security'>
    <description>Test rule</description>

Syslog-ng has no trouble loading it on startup, as suggested by these 
lines in /var/log/messages:

May 30 00:17:37 atest1 syslog-ng[8681]: Log pattern database reloaded; 
file='/etc/syslog-ng/test.xml', version='1', pub_date='2009-05-16'
May 30 00:17:37 atest1 syslog-ng[8681]: syslog-ng starting up; 

I'm testing db-parser, by issuing:

$ echo param1= param2=abcde | logger -i

And this is what I get in /var/log/test.log:

00:17:38 +02:00 atest1 [notice] unknown param1= param2=abcde

Clearly not what I wanted. Seems like my parser doesn't match anything, as 
${FOO.BAR} is empty. Can you shed some light on my problem? Am I doing 
something obviously wrong?
Db-parser functionality is neat, but it lacks documentation - I base on 
Balázs' presentation and some blog posts only.

Thanks in advance,

Jakub Jankowski
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D

