[syslog-ng] How to use parsed results from program pattern?

Balazs Scheidler bazsi at balabit.hu
Thu Aug 29 18:26:57 CEST 2013 

On Thu, 2013-08-29 at 11:21 +0200, Daniel Walter wrote:
> Hi folks,
> 
> the documentation 
> (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb) 
> states multiple times that program patterns and message patterns work 
> the same way.
> 
> "You can also use parsers in the program pattern if needed, and use the 
> parsed results later. For example: 
> <pattern>postfix\@ESTRING:.postfix.component:[@</pattern>"
> 
> I try to achieve exactly this behaviour. But my foobar.pdb (see 
> attachment or http://pastebin.com/aZKMKmkc) seems not to work. I tested 
> it with pdbtool:
> 
> pdbtool -v test foobar.pdb
> Testing message program='imapd(foo)' message='connect from 192.168.2.179 
> (192.168.2.179)'
>   Match name='.classifier.rule_id', value='foobaz', expected='foobaz'
>   Match name='IPA', value='192.168.2.179', expected='192.168.2.179'
>   Match name='IPB', value='192.168.2.179', expected='192.168.2.179'
>   Wrong match name='FOOA', value='', expected='foo'
>   Wrong match name='FOOB', value='', expected='foo'
> 
> 
> What I am doing wrong? How can I use the parsed results from program 
> pattern later?

hm... the extraction from the program name part was not always
implemented, and got ported from the PE version some time ago. Let me
check when it was integrated into the OSE tree.

This is the patch:

bazsi at bzorp:~/zwa/work/syslog-ng-ose-3.4/syslog-ng-ose/modules/dbparser$ git show 11f4ed96
commit 11f4ed960dcf7bc8ac053378fd1527870eaf7983
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Fri Sep 16 12:00:58 2011 +0200

    db-parser(): add support for storing values extracted from the program name portion
    
    Previously, only the values extracted from the $MSG portion was used
    to populate the message. This patch makes it possible to use parsers
    in the program name field and name-value pairs extracted from $PROGRAM
    will be also set in the message if a match occurs.

And it was integrated into syslog-ng 3.4:

bazsi at bzorp:~/zwa/work/syslog-ng-ose-3.4/syslog-ng-ose/modules/dbparser$ git describe 11f4ed96
v3.4.0alpha2-30-g11f4ed9

Are you sure you tried it with 3.4 and not with the 3.3 version you also quoted?

It does work for me in 3.4:

bazsi at bzorp:~/.zwa/install/syslog-ng-ose-3.4$ pdbtool -v test ~/tmp/foobar.pdb 
Module loaded and initialized successfully; module='syslogformat'
Module loaded and initialized successfully; module='basicfuncs'
Testing message program='imapd(foo)' message='connect from 192.168.2.179 (192.168.2.179)'
 Match name='.classifier.rule_id', value='foobaz', expected='foobaz'
 Match name='IPA', value='192.168.2.179', expected='192.168.2.179'
 Match name='IPB', value='192.168.2.179', expected='192.168.2.179'
 Match name='FOOA', value='foo', expected='foo'
 Wrong match name='FOOB', value='', expected='foo'

FOOB wasn't set because it's not the pattern that was matched.

HTH

-- 
Bazsi

More information about the syslog-ng mailing list