[syslog-ng] pattern naming problems

Matthew Hall mhall at mhcomputing.net
Thu Oct 14 08:59:03 CEST 2010 

Hello CzP,

> - how to handle at file/ruleset/etc level when two applications have the
> same $PROGRAM

> - how to handle, when the same application uses different $PROGRAM in
> different situations

> There are many different names as $PROGRAM,

> The question is the same:
> how should pattern name be handled?

I ran into the same problem with some brain damaged programs and log 
messages where it was not possible to get a reliable program name match.

Fortunately the problem is not too difficult to work around. I've 
collected some explanations from the manual to help you out.

Basically, depending on the situation, you can:

1) use syslog-ng parser(s) to match the program name and then reclassify 
the messages using a rule based on checking the value in the program 
name parser(s)

2) use a substring of the program name which starts the program's name 
in each case. This should work for postfix since each subdaemon's name 
begins with 'postfix/'.

3) leave the program name blank, and then that pattern DB becomes a 
'fallback' DB which is checked for any messages nothing else can 
classify. This is what I've chosen to do for the brain damaged programs 
I need to support. So far I haven't noticed a performance problem but I 
only loaded the system lightly.

Hope this helps,
Matthew Hall.

Notes from manuals:

[T]he rules of a ruleset are applied to log messages if the name of the 
application that sent the message matches the Program Pattern of the 
ruleset. The ... content of the $PROGRAM macro is compared to the 
Program Patterns of the available rulesets, and then the rules of the 
matching rulesets are applied to the message.

If the $PROGRAM part of a message is empty, rules with an empty Program 
Pattern are used to classify the message.

The Program Pattern can be a string that specifies the name of the 
appliation or the beginning of its name (e.g., to match for sendmail, 
the program pattern can be sendmail, or just send), and the Program 
Pattern can contain pattern parsers.

pattern: The name of the application — syslog-ng matches this value to 
the $PROGRAM header of the syslog message to find the rulesets 
applicable to the syslog message. This element is also called the 
program pattern.

If the <pattern> element of a ruleset is not specified, -ng will use 
this ruleset as a fallback ruleset: it will apply the ruleset to 
messages that have an empty PROGRAM header, or if none of the program 
patterns matched the PROGRAM header of the incoming message.

More information about the syslog-ng mailing list