[syslog-ng] patterndb - user defined parsers

[Balazs Scheidler]

On Sun, 2011-11-27 at 09:58 -0800, Evan Rempel wrote:
> Yes, I am aware of this, and it is good for generating the alerts when an event occurs, and I am planning on using
> this powerful feature as well, but it does not address my problem.
> 
> The problem I am having is that I need to match on any login event where the login ID is one of 22 known
> administrator accounts. I don't want to have to augment the pattern for EVERY login type message to
> include the 22 different patterns. What I would like to do is may my own parser that would have
> the 22 known login IDs and then use that parser in the rest of the patterndb.
> 
> This type of structure has already been applied to the syslog-ng configuration by adding the BLOCK { }; construct.
> 
> Also, when a sysadmin leaves our group, or we hire new staff, I can just update my own parser for the new/removed
> sysadmin login ID and my infrastructure continues to work well.

This kind of stuff shouldn't be done by patterns, their primary role is
to extract information from the log message. If you want to create an
alert based on user-name it should be performed using the filtering
engine.

log {
	source(s_all);
	parser(p_dbparser);
	log { filter(f_alerts); filter(f_admins); destination(d_adminalerts); };
	log { destination(d_normal); };
};

-- 
Bazsi