[syslog-ng] unable to use multiple application patterns per ruleset

Kurt Yoder kyoder at gmail.com
Thu Mar 8 21:51:21 CET 2012 

Hi list,

Using patterndb, has anyone successfully used multiple application patterns per ruleset? I have the following:

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2012-03-08'>
  <ruleset name='rdc-pam' id='rdc-pam'>
    <patterns>
      <pattern>blahblah</pattern>
      <pattern>sshd</pattern>
    </patterns>
    <rules>

      <rule class='system' id='pam_session_opened_for_user_by_uid' provider='rdc'>
      <description></description>
        <patterns>
          <pattern>pam_unix(sshd:session): session opened for user kurt by (uid=0)</pattern>
        </patterns>
        <values>
        </values>
        <tags>
         <tag>rdc.alert.ok</tag>
        </tags>
      </rule>
    </rules>
  </ruleset>
</patterndb>

As soon as I remove "<pattern>blahblah</pattern>", or move it below "<pattern>sshd</pattern>", this rule starts matching events. When I add it back, it stops matching events.

The documentation at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/reference_patterndb_schemes.html says (incidentally, the closing "<patterns>" in this example should instead read "</patterns>"):

"
Specifying multiple patterns is useful if two or more applications have different names (that is, different $PROGRAM fields), but otherwise send identical log messages.

<patterns>
    <pattern>firstapplication</pattern>
    <pattern>otherapplication</pattern>
<patterns>
This is exactly what I am trying to do, but it does not appear to work as documented. 

I manually backported my syslog-ng from Ubuntu Oneiric:

$ syslog-ng --version
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: Jan 19 2012 02:57:58
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off





Can anyone offer a suggestion toward making this work?

Thanks

More information about the syslog-ng mailing list