[syslog-ng] How to use parsed results from program pattern?

Daniel Walter daniel.walter at helmundwalter.de
Thu Aug 29 11:21:23 CEST 2013 

Hi folks,

the documentation 
(https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb) 
states multiple times that program patterns and message patterns work 
the same way.

"You can also use parsers in the program pattern if needed, and use the 
parsed results later. For example: 
<pattern>postfix\@ESTRING:.postfix.component:[@</pattern>"

I try to achieve exactly this behaviour. But my foobar.pdb (see 
attachment or http://pastebin.com/aZKMKmkc) seems not to work. I tested 
it with pdbtool:

pdbtool -v test foobar.pdb
Testing message program='imapd(foo)' message='connect from 192.168.2.179 
(192.168.2.179)'
  Match name='.classifier.rule_id', value='foobaz', expected='foobaz'
  Match name='IPA', value='192.168.2.179', expected='192.168.2.179'
  Match name='IPB', value='192.168.2.179', expected='192.168.2.179'
  Wrong match name='FOOA', value='', expected='foo'
  Wrong match name='FOOB', value='', expected='foo'


What I am doing wrong? How can I use the parsed results from program 
pattern later?

Tested with syslog version:
syslog-ng 3.4.3
Installer-Version: 3.4.3
Revision: 
ssh+git://algernon@git.balabit/var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.4#no_branch#64d670f3cbfb90769f3c7f0fdd9c70bb9136ec5b
Compile-Date: Aug 27 2013 17:55:45
Available-Modules: 
afsocket-tls,cryptofuncs,affile,afsocket,syslogformat,dbparser,afsocket-notls,basicfuncs,json-plugin,system-source,afmongodb,afamqp,afprog,afuser,confgen,csvparser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Pcre: on

And:
syslog-ng 3.3.9
Installer-Version: 3.3.9
Revision: 3.3.9-1 (/)
Compile-Date: May 26 2013 11:36:00
Default-Modules: 
affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat
Available-Modules: 
afsocket-notls,basicfuncs,confgen,afsocket,convertfuncs,syslogformat,afuser,csvparser,dbparser,affile,afsocket-tls,afprog
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on


Best Regards,
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foobar.pdb
Type: chemical/x-pdb
Size: 961 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130829/771f650b/attachment.pdb

More information about the syslog-ng mailing list