[syslog-ng] Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze)
Evan Rempel
erempel at uvic.ca
Sun Apr 28 17:38:41 CEST 2013
Sorry for not being more clear in my first response.
You have a template of
template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOSTIP ${.esxi.host_ip},${.esxi.message}\n")
When syslog-ng receives a syslog message, it logged it as;
=== system,error,critical, HOST IP ,
This means that $PROGRAM contains "system"
Now for the patterndb part.
The patterndb parser FIRST matches $PROGRAM To the <pattern>XXXX</pattern> in the <ruleset>
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>XXXX</pattern>
In your case you have specified <pattern>ESXI</pattern> so the patterndb parser will NOT use any
of your patterndb because it does not match the $PROGRAM
You need to use
######## esxi_pattern.xml ############
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>system</pattern>
<rules>
<rule provider='Fone Bro' id='182437592347598' class='esxi'>
<patterns>
<pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@
@STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
You have not included a complete syslong-ng source line for me to see what you are trying to match against so I can
not tell if you pattern will actually match the lines that you are trying to match.
At my organization we run ESX as well, and none of our lines would match the pattern that you have, but
your environment might be different.
I hope this was more clear.
Evan.
________________________________________
From: 不坏阿峰 [onlydebian at gmail.com]
Sent: Sunday, April 28, 2013 8:24 AM
To: syslog-ng at lists.balabit.hu; Evan Rempel
Subject: Re:Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze)
thanks to your reply. i do not understand how to do now. it puzzle and trouble me some days. i read the balabit syslog-ng OSE guide documents and only have simple information in there.
how to do on this
----->>>>
If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work.
2013/4/28 <syslog-ng-request at lists.balabit.hu<mailto:syslog-ng-request at lists.balabit.hu>>
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu<mailto:syslog-ng-request at lists.balabit.hu>
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu<mailto:syslog-ng-owner at lists.balabit.hu>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Can not get DBParse match macro result (syslog-ng 3.13
debian squeeze) (????)
2. Re: Can not get DBParse match macro result (syslog-ng 3.13
debian squeeze) (Evan Rempel)
----------------------------------------------------------------------
Message: 1
Date: Sat, 27 Apr 2013 22:34:50 +0800
From: ???? <onlydebian at gmail.com<mailto:onlydebian at gmail.com>>
Subject: [syslog-ng] Can not get DBParse match macro result (syslog-ng
3.13 debian squeeze)
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
Message-ID:
<CA+SSH2oBB2-WWvQksbchVVoyhfZbdVvDR=V7wJ1EJdvE6Zx9zg at mail.gmail.com<mailto:V7wJ1EJdvE6Zx9zg at mail.gmail.com>>
Content-Type: text/plain; charset="iso-8859-1"
when use pdbtool do match test, it is success. but from syslog-ng can not
return result of macro
i can not get macro result. for example, ${.esxi.month} no value, same
as ${.esxi.host_ip} ${.esxi.time}
test log output ,just like this.
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
do the pdbtool test, it's ok. wish someone can give me some solution and
help. i have search some mail list but i can not get the right solution.
thanks a lot.
root at debian:~# pdbtool match -D -c -p
/etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31
192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd
0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path
"vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
Act:NONE"
Pattern matching part:
@STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@
@STRING:.esxi.time=15:17:31@@IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program=
vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
(0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
Act:NONE@@ANYSTRING:.esxi.message=cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd
0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
Matching part:
Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
sense data: 0x5 0x20 0x0. Act:NONE
Values:
MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
sense data: 0x5 0x20 0x0. Act:NONE
PROGRAM=ESXI
.classifier.class=esxi
.classifier.rule_id=182437592347598
.esxi.month=Apr
.esxi.date=26
.esxi.time=15:17:31
.esxi.host_ip=192.168.88.71
.esxi.program= vmkernel
.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
(0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
root at debian:~#
my configuration like as below
######## esxi_pattern.xml ############
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>ESXI</pattern>
<rules>
<rule provider='Fone Bro' id='182437592347598' class='esxi'>
<patterns>
<pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@
@STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
######## syslog-ng.conf ########
#####Parser#####
parser pattern_db {
db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
};
#Check pattern matching
destination udp_esxi_output {
file("/var/log/pattern_output"
template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST
IP ${.esxi.host_ip},${.esxi.message}\n")
template_escape(no));
};
#####Log#####
log {
source(s_network);
parser(pattern_db);
destination(udp_esxi_output);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/20e80756/attachment.html
------------------------------
Message: 2
Date: Sat, 27 Apr 2013 16:10:02 +0000
From: Evan Rempel <erempel at uvic.ca<mailto:erempel at uvic.ca>>
Subject: Re: [syslog-ng] Can not get DBParse match macro result
(syslog-ng 3.13 debian squeeze)
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Message-ID: <q8vb966l4qe0219lsusm5ju4.1367078999747 at email.android.com<mailto:q8vb966l4qe0219lsusm5ju4.1367078999747 at email.android.com>>
Content-Type: text/plain; charset="iso-2022-jp"
It would appear that you have everything correct when the "PROGRAM" is ESXI but the log line as syslog-ng sees it has a PROGRAM of "system" according to your test log output.
If you change the patterndb ruleset pattern to use a program of system rather than ESXI I think it would work.
Evan Rempel 250.271.7691<tel:250.271.7691>
University Systems, University of Victoria
???? <onlydebian at gmail.com<mailto:onlydebian at gmail.com>> wrote:
when use pdbtool do match test, it is success. but from syslog-ng can not return result of macro
i can not get macro result. for example, ${.esxi.month} no value, same as ${.esxi.host_ip} ${.esxi.time}
test log output ,just like this.
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
=== system,error,critical, HOST IP ,
do the pdbtool test, it's ok. wish someone can give me some solution and help. i have search some mail list but i can not get the right solution. thanks a lot.
root at debian:~# pdbtool match -D -c -p /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE"
Pattern matching part:
@STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@ @STRING:.esxi.time=15:17:31@ @IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program= vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@ @ANYSTRING:.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
Matching part:
Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
Values:
MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
PROGRAM=ESXI
.classifier.class=esxi
.classifier.rule_id=182437592347598
.esxi.month=Apr
.esxi.date=26
.esxi.time=15:17:31
.esxi.host_ip=192.168.88.71
.esxi.program= vmkernel
.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
root at debian:~#
my configuration like as below
######## esxi_pattern.xml ############
<?xml version="1.0" encoding="utf-8"?>
<patterndb version='3' pub_date='2009-04-17'>
<ruleset name='esxi' id='123456678'>
<pattern>ESXI</pattern>
<rules>
<rule provider='Fone Bro' id='182437592347598' class='esxi'>
<patterns>
<pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@ @STRING:.esxi.time::@ @IPv4:.esxi.host_ip:@@ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
######## syslog-ng.conf ########
#####Parser#####
parser pattern_db {
db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
};
#Check pattern matching
destination udp_esxi_output {
file("/var/log/pattern_output"
template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST IP ${.esxi.host_ip},${.esxi.message}\n")
template_escape(no));
};
#####Log#####
log {
source(s_network);
parser(pattern_db);
destination(udp_esxi_output);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/2f67c039/attachment-0001.htm
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 96, Issue 25
*****************************************
More information about the syslog-ng
mailing list