[syslog-ng] Quotes and parser with pattern db in syslog-ng 3.1.1

Balazs Scheidler bazsi at balabit.hu
Mon Jul 26 16:42:45 CEST 2010 

On Wed, 2010-07-21 at 18:07 +0200, Ilas, Yann wrote:
> I have a question about the parser using the db_parser and xml file. I'm
> currently using the version 3.1.1 of syslog-ng.
> 
> Here is the xml file named "syslog-ng.xml" :
> <?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='3' pub_date='2010-07-21'>
>   <ruleset name='syslog-ng' id='syslog-ng-01'>
>     <pattern>syslog-ng</pattern>
>     <rules>
>       <rule provider='yann' id='syslog:server:0123456789:id001'
> class='system'>
>       <patterns>
>          <pattern>syslog-ng shutting down;
> version='@STRING::@'</pattern>
>          <examples>
>            <example>
>              <test_message>syslog-ng shutting down;
> version='3.1.1'</test_message>
>            </example>
>          </examples>
>          <values>
>            <value name=".classifier.facility">syslog</value>
>            <value name=".classifier.severity">notice</value>
>            <value name=".classifier.priority">45</value>
>          </values>
>       </patterns>
>       </rule>
>     </rules>
>   </ruleset>
> </patterndb>
> 
> I would like to test that configuration with the following message
> "syslog-ng shutting down; version='3.1.1'" by using pdbtool.
> 
> # /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P syslog-ng -M
> "syslog-ng shutting down; version='3.1.1'"
> MESSAGE=syslog-ng shutting down; version='3.1.1'
> PROGRAM=syslog-ng
> .classifier.class=unknown
> 
> The result is odd because my message seems to be right...
> I suspect the quotes so I remove the quotes in the xml file.

The problem is that the STRING parser "eats" alphanumeric characters
only, unless explicitly told the additional set of characters permitted.

If you also want to match the '.' character in the version, you can use
this parser:

@STRING::.@

(e.g. alphanumeric + '.') 

With that it works for me.

Also, please note that there's a QSTRING parser, which looks for the
ending quote for a string.

So this one also works for me:

<pattern>syslog-ng shutting down; version=@QSTRING:almafa:'@</pattern>

The patterndb can be tricky at times, the fastest parser of all will
probably be ESTRING, sometimes performing better than the type specific
parsers.

-- 
Bazsi

More information about the syslog-ng mailing list