[syslog-ng] Troubles with the pattern database

Mon Nov 30 11:10:38 CET 2009

On Sat, 2009-11-21 at 15:18 +0100, Guillaume Rousse wrote:
> ILLES, Marton a écrit :
> > Hi,
> > 
> > See my comments inline.
> > 
> > On Mon, 2009-10-12 at 16:32 +0200, Guillaume Rousse wrote:
> >> Hello list.
> >>
> >> I'm the mandriva maintainer for syslog-ng.
> >>
> >> I'm trying to play with the pattern database, with syslog-ng 3.0.4. I 
> >> rebuild the package with the attached patch, so as to use 
> >> /usr/share/syslog-ng a database location (a bit more FHS-compliant than 
> >> /var), and extracted the files downloaded from 
> >> http://www.balabit.com/downloads/files/patterndb there.
> >>
> > 
> > The reason for using /var location is that the patterndb could be
> > updated by the user, so I though /usr is not the appropriate place for
> > such files as they could be changed by the user. For pre-packaged
> > patterns it might be a good place on the other hand. The general idea
> > (which is not ready yet) is to have a bunch of pattern files (for
> > different applications and site specific ones) which are merged into one
> > big file which is loaded by syslog-ng. This generated file would be
> > in /var.
> > 
> > This merge functionality is missing from the 3.0 version and is only
> > available in my 3.1 tree (hopefully soon merged to mainline by Bazsi). A
> > new pdbtool is responsible for merging and other misc stuff. See my blog
> > on this:
> > http://marci.blogs.balabit.com/2009/08/db-parser-new-utility-pdbtool.html
> > 
> > I am not an FHS export so please correct me if I am wrong.
> /var is supposed to hold application state, not their primary data. It 
> could be appropriate to use if syslog-ng daemon itself would write the 
> merged database file, after loading various files from another 
> locations. But if users are supposed to do it themselves, /usr, or /etc, 
> would be better suited.
> 
> >> However, loading them fails with this message:
> >> Error parsing pattern database file; 
> >> filename='/usr/share/syslog-ng/patterndb.xml', error='Unexpected <rule> 
> >> element'
> >> Error reloading pattern database, no pattern recognition will be done;
> >>
> >> It looks like some DB format issue. According to
> >> http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s06.html#reference_parsers_pattern_databases
> >>
> >> the supported format is v1 until syslog-ng 3.0.2, and the NEWS file 
> >> doesn't list any change here, while the patterndb file is already using 
> >> v2. Am I correct ? And in this case, is there any way to easily convert 
> >> the base to the old format ?
> > 
> > syslog-ng 3.0 only supports patterndb format version 1. syslog-ng 3.1
> > supoprts patterndb format 3. Format 3 is backward compatible with format
> > 2, but not with format 1. The published patterns are in format 2, so you
> > can only use if the 3.1 line. The pdbtool merge command could be used -
> > besides merging patterns - to upgrade the patterndbs to the latest
> > format 3. The new format provides many new features and advantages over
> > the old one so it is probably a good idea to use it.
> > 
> > Regarding the published patterns we are working on reviewing and doing
> > editorial work on them to provide a better quality as the currently
> > published ones are generated automatically with a script from logcheck
> > regexp based patterns and contains some errors. I try to publish them as
> > soon as possible, but I am bit overloaded now. :(
> OK, thanks for the clarification. I'm waiting for OSE 3.1 release :)
> 

While syslog-ng OSE 3.1 is really around the corner, you could always
get your copy by cloning the git repository from

git clone git://git.balabit.hu/bazsi/syslog-ng-3.1.git

If you look at it closely, you can see that it already has a 3.1beta1
tag in it ;)


-- 
Bazsi