[syslog-ng] Debugging Pattern Match Failures

[Matthew Hall]

On Tue, Aug 03, 2010 at 02:39:38PM +0200, Balazs Scheidler wrote:
> Well, if you want to look at the result of the message parsing exactly
> as done by syslog-ng, you could use a noop rewrite rule and enable
> debugging (though it is not recommended to be done in a production
> server):
> 
> rewrite r_noop { set("$MESSAGE"); };
> 
> This would set $MESSAGE to $MESSAGE, but at the end of the rewrite rule,
> syslog-ng would emit a debug message about the contents of the MESSAGE
> name-value pair.

Unfortunately I can't even get that far because the beginning of my 
message patterns is not matching up against whatever syslog-ng is using 
to do the pattern match, so I am not going to get any name value pairs 
out.

> Alternatively, you may still be able to use "pdbtool match" which can
> read a log file, parse it with syslog-ng's message parser and report the
> results per name-value pair.
> 
> $ pdbtool match -f /var/log/auth.log -p access/sshd.pdb  | head -10
> HOST=bzorp
> MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
> PROGRAM=CRON
> PID=7362
> LEGACY_MSGHDR=CRON[7362]: 
> .classifier.class=unknown
> 
> ...
> 
> This uses the normal BSD syslog parser to read the file (thus if you are
> using no-parse flag, or RFC5424 format log files, that may differ)

How do I create a file in this BSD format the pdbtool expects? Right now 
I am using syslog-ng output files as input to my patternizing scripts, 
but I think I am not stripping off the right things at the beginning of 
the lines in these files (either too much or too little).

Is there some option I can use to store just the part it would send to 
the pattern matcher so that I can have input to my patternizer which 
looks exactly like what the daemon is going to match during the pattern 
match for each message?

> -- 
> Bazsi

Thanks,
Matthew.