[syslog-ng] unable to use multiple application patterns per ruleset

Kurt Yoder kyoder at gmail.com
Tue Mar 13 18:07:55 CET 2012 

Anyone? Is this a known bug?

On Mar 8, 2012, at 3:51 PM, Kurt Yoder wrote:

> Hi list,
> 
> Using patterndb, has anyone successfully used multiple application patterns per ruleset? I have the following:
> 
> <?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='4' pub_date='2012-03-08'>
>  <ruleset name='rdc-pam' id='rdc-pam'>
>    <patterns>
>      <pattern>blahblah</pattern>
>      <pattern>sshd</pattern>
>    </patterns>
>    <rules>
> 
>      <rule class='system' id='pam_session_opened_for_user_by_uid' provider='rdc'>
>      <description></description>
>        <patterns>
>          <pattern>pam_unix(sshd:session): session opened for user kurt by (uid=0)</pattern>
>        </patterns>
>        <values>
>        </values>
>        <tags>
>         <tag>rdc.alert.ok</tag>
>        </tags>
>      </rule>
>    </rules>
>  </ruleset>
> </patterndb>
> 
> As soon as I remove "<pattern>blahblah</pattern>", or move it below "<pattern>sshd</pattern>", this rule starts matching events. When I add it back, it stops matching events.
> 
> The documentation at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/reference_patterndb_schemes.html says (incidentally, the closing "<patterns>" in this example should instead read "</patterns>"):
> 
> "
> Specifying multiple patterns is useful if two or more applications have different names (that is, different $PROGRAM fields), but otherwise send identical log messages.
> 
> <patterns>
>    <pattern>firstapplication</pattern>
>    <pattern>otherapplication</pattern>
> <patterns>
> This is exactly what I am trying to do, but it does not appear to work as documented. 
> 
> I manually backported my syslog-ng from Ubuntu Oneiric:
> 
> $ syslog-ng --version
> syslog-ng 3.2.4
> Installer-Version: 3.2.4
> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
> Compile-Date: Jan 19 2012 02:57:58
> Enable-Threads: on
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-SSL: on
> Enable-SQL: on
> Enable-Linux-Caps: on
> Enable-Pcre: on
> Enable-Pacct: off
> 
> 
> 
> 
> 
> Can anyone offer a suggestion toward making this work?
> 
> Thanks
> 
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list