[syslog-ng] pattern naming problems

Balazs Scheidler bazsi at balabit.hu
Sat Oct 16 06:22:38 CEST 2010


On Thu, 2010-10-14 at 12:12 +0200, Peter Czanik wrote:
> Hello,
> 
> On 10/14/2010 08:59 AM, Matthew Hall wrote:
> > Basically, depending on the situation, you can:
> > 1) use syslog-ng parser(s) to match the program name and then reclassify 
> > the messages using a rule based on checking the value in the program 
> > name parser(s)
> >
> > 2) use a substring of the program name which starts the program's name 
> > in each case. This should work for postfix since each subdaemon's name 
> > begins with 'postfix/'.
> >
> > 3) leave the program name blank, and then that pattern DB becomes a 
> > 'fallback' DB which is checked for any messages nothing else can 
> > classify. This is what I've chosen to do for the brain damaged programs 
> > I need to support. So far I haven't noticed a performance problem but I 
> > only loaded the system lightly.
> >   
> Option 1) needs changes also in syslog-ng.conf, so it's not good as a
> general solution. Option 3) looks ugly too, and might be slower / less
> reliable when a large number of patterns are used. So far 2) seems to be
> the most useful for general use. This can handle postfix/* and imapd*.
> I still wonder how to handle when then same $PROGRAM is used for
> different applications, like "imapd" for both wu-imapd and
> courier-imapd. First I thought, that all should go to the same
> imapd.pdb, but under different rulesets. But that has a problem: courier
> is not just imap, but also a pop3 server. Also
> http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=README.txt;hb=HEAD
> says, that "Applications are grouped by their respective function and
> each application gets a single file that lists all the patterns of that
> application." So it would be more appropriate to rename imapd.pdb to
> wu-imapd.pdb (as it would only have patterns for Washington University
> IMAPd), and have a separate courier.pdb, or even courier-imapd.pdb and
> courier-pop3d.pdb. What do you think?

you should use separate files based on the brand/name of the product and
both should use imapd as the program name pattern. The rules will be
merged internally by syslog-ng, but I guess the messages themselves are
different enough to make a distinction. Or if not, hopefully the
same-looking messages also serve the same purpose.

Also please note that you can use multiple <pattern> tags for a given
ruleset, e.g.

<ruleset ...>
  <patterns>
    <pattern>imapd</pattern>
    <pattern>imapd-ssl</pattern>
  </patterns>
</ruleset>

Also, program names, just like messages use the longest prefix match, so
as Matthew has put it, you can always use the longest unique prefix.

And also, you can also use parsers within the program name pattern if
that helps somehow.

-- 
Bazsi




More information about the syslog-ng mailing list