[syslog-ng] Quotes and parser with pattern db in syslog-ng 3.1.1
Fekete Róbert
frobert at balabit.hu
Wed Jul 21 21:19:08 CEST 2010
Hi,
it seems to be a bit odd that your original pattern is not working, it might be some quirk with the STRING parser.
However, using a QSTRING parser should be better in your case, as it is generally faster than the STRING parser, and more suitable for this message part, like this: <pattern>syslog-ng shutting down; version=@QSTRING::'@</pattern>
Regards,
Robert
On Wednesday, July 21, 2010 18:07 CEST, "Ilas, Yann" <yann.ilas at eads.com> wrote:
> I have a question about the parser using the db_parser and xml file. I'm
> currently using the version 3.1.1 of syslog-ng.
>
> Here is the xml file named "syslog-ng.xml" :
> <?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='3' pub_date='2010-07-21'>
> <ruleset name='syslog-ng' id='syslog-ng-01'>
> <pattern>syslog-ng</pattern>
> <rules>
> <rule provider='yann' id='syslog:server:0123456789:id001'
> class='system'>
> <patterns>
> <pattern>syslog-ng shutting down;
> version='@STRING::@'</pattern>
> <examples>
> <example>
> <test_message>syslog-ng shutting down;
> version='3.1.1'</test_message>
> </example>
> </examples>
> <values>
> <value name=".classifier.facility">syslog</value>
> <value name=".classifier.severity">notice</value>
> <value name=".classifier.priority">45</value>
> </values>
> </patterns>
> </rule>
> </rules>
> </ruleset>
> </patterndb>
>
> I would like to test that configuration with the following message
> "syslog-ng shutting down; version='3.1.1'" by using pdbtool.
>
> # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
> "syslog-ng shutting down; version='3.1.1'"
> MESSAGE=syslog-ng shutting down; version='3.1.1'
> PROGRAM=syslog-ng
> .classifier.class=unknown
>
> The result is odd because my message seems to be right...
> I suspect the quotes so I remove the quotes in the xml file.
>
> Let's try again with the same message without quotes :
> (...)
> <pattern>syslog-ng shutting down; version=@STRING::@</pattern>
> (...)
>
> Test:
> # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
> "syslog-ng shutting down; version=3.1.1"
> MESSAGE=syslog-ng shutting down; version=3.1.1
> PROGRAM=syslog-ng
> .classifier.class=system
> .classifier.rule_id=syslog:server:0123456789:id001
> .classifier.facility=syslog
> .classifier.severity=notice
> .classifier.priority=45
>
> It works.
>
> What's wrong with my message ?
> I tried to remove the second quote in the xml file like this :
> (...)
> <pattern>syslog-ng shutting down; version='@STRING::@</pattern>
> (...)
>
> Test :
> # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
> "syslog-ng shutting down; version='3.1.1"
> MESSAGE=syslog-ng shutting down; version='3.1.1
> PROGRAM=syslog-ng
> .classifier.class=system
> .classifier.rule_id=syslog:server:0123456789:id001
> .classifier.facility=syslog
> .classifier.severity=notice
> .classifier.priority=45
>
> I have the same result if I changed my xml file like this :
> (...)
> <pattern>syslog-ng shutting down; version=''@STRING::@</pattern>
> (...)
>
> Test :
> # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
> "syslog-ng shutting down; version=''3.1.1"
> MESSAGE=syslog-ng shutting down; version=''3.1.1
> PROGRAM=syslog-ng
> .classifier.class=system
> .classifier.rule_id=syslog:server:0123456789:id001
> .classifier.facility=syslog
> .classifier.severity=notice
> .classifier.priority=45
>
> Can't I have a message like this one 'texttexttext' ? Or did I miss
> something ?
>
> Last test : I change the xml file like this :
> (...)
> <pattern>syslog-ng shutting down; version='3.1.1'</pattern>
> (...)
> => I remove the @STRING::@ and the pdbtool returned the
> .classifier.facility, .classifier.severity, etc.
>
> May I use @STRING::@ between two simple quotes ?
>
>
> Regards,
>
> Yann I.
More information about the syslog-ng
mailing list