[syslog-ng] patterndb

[Fabien Wernli]

Hi,

I'm currently organizing my patterndb files into something easily
maintainable, and I ran into the following problem, best explained using an
example: sshd and pam_unix.

Some of sshd specific patterns reside in a specific ruleset, e.g.

<ruleset name='sshd' id='A'>
  <patterns>
    <pattern>sshd</pattern
  </patterns>
  <rules>
    <rule>
...
    </rule>
  </rules>
</ruleset>

Some of sshd's messages come from pam_unix, e.g. modules/pam_unix/support.c,
and are shared among other daemons:

<ruleset name='pam_unix' id='B'>
  <patterns>
    <pattern>crond</pattern>
    <pattern>imap</pattern>
    <pattern>login</pattern>
    <pattern>pam</pattern>
    <pattern>pure-ftpd</pattern>
    <pattern>proftpd</pattern>
    <pattern>sshd</pattern>
    <pattern>su</pattern>
    <pattern>sudo</pattern>
...
  <patterns>
  <rules>
    <rule>
...
    </rule>
  </rules>
</ruleset>

The problem is, when a sshd message is parsed, even if it doesn't match any
rules in ruleset 'A', ruleset 'B' isn't even considered for matching.

So how do I properly organize my pdb tree, without duplicating rules in multiple
source files?

Thanks in advance