[syslog-ng] Quotes and parser with pattern db in syslog-ng 3.1.1

Ilas, Yann yann.ilas at eads.com
Wed Jul 21 18:07:18 CEST 2010 

I have a question about the parser using the db_parser and xml file. I'm
currently using the version 3.1.1 of syslog-ng.

Here is the xml file named "syslog-ng.xml" :
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2010-07-21'>
  <ruleset name='syslog-ng' id='syslog-ng-01'>
    <pattern>syslog-ng</pattern>
    <rules>
      <rule provider='yann' id='syslog:server:0123456789:id001'
class='system'>
      <patterns>
         <pattern>syslog-ng shutting down;
version='@STRING::@'</pattern>
         <examples>
           <example>
             <test_message>syslog-ng shutting down;
version='3.1.1'</test_message>
           </example>
         </examples>
         <values>
           <value name=".classifier.facility">syslog</value>
           <value name=".classifier.severity">notice</value>
           <value name=".classifier.priority">45</value>
         </values>
      </patterns>
      </rule>
    </rules>
  </ruleset>
</patterndb>

I would like to test that configuration with the following message
"syslog-ng shutting down; version='3.1.1'" by using pdbtool.

# /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
"syslog-ng shutting down; version='3.1.1'"
MESSAGE=syslog-ng shutting down; version='3.1.1'
PROGRAM=syslog-ng
.classifier.class=unknown

The result is odd because my message seems to be right...
I suspect the quotes so I remove the quotes in the xml file.

Let's try again with the same message without quotes :
  (...)
  <pattern>syslog-ng shutting down; version=@STRING::@</pattern>
  (...)

Test:
# /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
"syslog-ng shutting down; version=3.1.1"
MESSAGE=syslog-ng shutting down; version=3.1.1
PROGRAM=syslog-ng
.classifier.class=system
.classifier.rule_id=syslog:server:0123456789:id001
.classifier.facility=syslog
.classifier.severity=notice
.classifier.priority=45

It works.

What's wrong with my message ? 
I tried to remove the second quote in the xml file like this :
  (...)
  <pattern>syslog-ng shutting down; version='@STRING::@</pattern>
  (...)

Test :
# /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
"syslog-ng shutting down; version='3.1.1"
MESSAGE=syslog-ng shutting down; version='3.1.1
PROGRAM=syslog-ng
.classifier.class=system
.classifier.rule_id=syslog:server:0123456789:id001
.classifier.facility=syslog
.classifier.severity=notice
.classifier.priority=45

I have the same result if I changed my xml file like this :
  (...)
  <pattern>syslog-ng shutting down; version=''@STRING::@</pattern>
  (...)

Test :
# /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
"syslog-ng shutting down; version=''3.1.1"
MESSAGE=syslog-ng shutting down; version=''3.1.1
PROGRAM=syslog-ng
.classifier.class=system
.classifier.rule_id=syslog:server:0123456789:id001
.classifier.facility=syslog
.classifier.severity=notice
.classifier.priority=45

Can't I have a message like this one 'texttexttext' ? Or did I miss
something ?

Last test : I change the xml file like this :
  (...)
  <pattern>syslog-ng shutting down; version='3.1.1'</pattern>
  (...)
=> I remove the @STRING::@ and the pdbtool returned the
.classifier.facility, .classifier.severity, etc.

May I use @STRING::@ between two simple quotes ?


Regards,

Yann I.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng.xml
Type: text/xml
Size: 802 bytes
Desc: syslog-ng.xml
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100721/ca6e661c/attachment.bin

More information about the syslog-ng mailing list