[syslog-ng] Debugging Pattern Match Failures

Matthew Hall mhall at mhcomputing.net
Tue Aug 3 07:29:02 CEST 2010 

Hello Martin,

On Mon, Aug 02, 2010 at 10:07:36PM -0500, Martin Holste wrote:
> Did you try the patternize utility?  It can automate a lot of the
> pattern creating.

First of all thank you very much for pointing out patternize; I did see 
many of the patterndb related blogs but missed this one. I will 
certainly investigate this in detail and make as much use of it as 
possible.

> Also, are you using the pdbtool to test the messages?  See this
> blog post for more info:

I thought about pdbtool but the problem there was that I needed to know 
exactly which string the daemon would receive, how it would look when 
the daemon stripped the headers, and what it would send into the 
patterndb for matching.

This is because the messages on the socket have different headers from 
the headers which are used in the disk files of messages I am using as 
the source of raw material for creating the patterns. Thus I end up with 
the same problem I started with, unless I'm missing something here.

> --Martin

Cheers,
Matthew.

> On Mon, Aug 2, 2010 at 9:39 PM, Matthew Hall <mhall at mhcomputing.net> wrote:
> > Hello list,
> >
> > Recently I created a series of blasphemous scripts which convert some
> > large collections of recorded log messages in my environment into
> > pattern DB XML files. At first there were some syntax errors but I fixed
> > all of these and the XML files are loading successfully.
> >
> > However I am running into some problems with the next step: getting the
> > patterns to match against the incoming log messages. I suspect I am not
> > properly stripping the headers off of the disk files of recorded
> > messages I am using to generate the pattern DB XML files.
> >
> > I am wondering how I can enable the right debugging capabilities to get
> > more detailed debug output from the pattern DB parser where I can see
> > what strings are being processed so that I can fix this right instead
> > of guessing repeatedly and incorrectly.
> >
> > Thanks,
> > Matthew Hall.
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list