[syslog-ng] Cant get pattern matching to work
Chris Johnson
masterof0 at gmail.com
Sun Feb 12 01:44:05 CET 2012
Sorry for bombarding the mailing list with questions. I have been working through the documentation but just seem to keep hitting obstacles. I have compared this to the examples in the manual and some samples I was able to track down, but Im not seeing where I am going wrong. For this question, I am working with the following data:
"MESSAGE" : "RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0",
"PROGRAM" : "RT_FLOW"
Based on this , I have generated the following pattern database and config just to see if I am heading down the right path. Unfortunately, what I thought would generate a pattern match on the logs and generate the appropriate macros, are not retuning anything. I have also tried taking out the $PROGRAM patter, but that did not seem to help. I have also validated this with pdbtool and it succeeds.
Any help is greatly appreciated
Chris
patterndb.xml
<patterndb version='3' pub_date='2011-02-11'>
<ruleset name='session_close' id='123456678'>
<rules>
<rule provider='cj' id='182437592347598' class='session'>
<patterns>
<pattern>
@ESTRING:TEST1:::@ @ANYSTRING:TEST2@
</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
syslog-ng.conf
#####Destinations#####
destination d_mongodb {
mongodb(
value-pairs(
key("TEST1")
key("TEST2")
scope("base")
)
);
};
#####Parser#####
parser pattern_db {
db_parser(
file("/usr/local/etc/patterndb.xml")
);
};
#####Log#####
log {
source(s_network);
parser(pattern_db);
destination(d_mongodb);
};
Unfortunately, what I thought would pattern match and generate a macro for
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120211/af8b11f7/attachment.htm
More information about the syslog-ng
mailing list