[syslog-ng] pattern naming problems

[Peter Czanik]

Hello,

On 10/14/2010 08:59 AM, Matthew Hall wrote:
> Basically, depending on the situation, you can:
> 1) use syslog-ng parser(s) to match the program name and then reclassify 
> the messages using a rule based on checking the value in the program 
> name parser(s)
>
> 2) use a substring of the program name which starts the program's name 
> in each case. This should work for postfix since each subdaemon's name 
> begins with 'postfix/'.
>
> 3) leave the program name blank, and then that pattern DB becomes a 
> 'fallback' DB which is checked for any messages nothing else can 
> classify. This is what I've chosen to do for the brain damaged programs 
> I need to support. So far I haven't noticed a performance problem but I 
> only loaded the system lightly.
>   
Option 1) needs changes also in syslog-ng.conf, so it's not good as a
general solution. Option 3) looks ugly too, and might be slower / less
reliable when a large number of patterns are used. So far 2) seems to be
the most useful for general use. This can handle postfix/* and imapd*.
I still wonder how to handle when then same $PROGRAM is used for
different applications, like "imapd" for both wu-imapd and
courier-imapd. First I thought, that all should go to the same
imapd.pdb, but under different rulesets. But that has a problem: courier
is not just imap, but also a pop3 server. Also
http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=README.txt;hb=HEAD
says, that "Applications are grouped by their respective function and
each application gets a single file that lists all the patterns of that
application." So it would be more appropriate to rename imapd.pdb to
wu-imapd.pdb (as it would only have patterns for Washington University
IMAPd), and have a separate courier.pdb, or even courier-imapd.pdb and
courier-pop3d.pdb. What do you think?
Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/