[syslog-ng] pdbtool 'patternize'

David Hauck davidh at netacquire.com
Wed Apr 16 18:15:37 CEST 2014 

Hi Péter,
 
Another couple questions regarding 'patternize'.

Why does the 'patternize' output not include additionally relevant parts of the schema? In particular the 'program pattern' is not output as part of the result? It's my understanding that this is key matching criteria when determining matches and I'm unsure what would happen with the pattern db that contains rulesets with no program pattern specifiers (note: the documentation does talk about the matching behaviour when ${PROGRAM} is empty, but this is different - i.e., I assume rules with empty program patterns don't get matched/looked at when ${PROGRAM} is non-empty).

Also, where is the actual schema (the xsd file) that defines the pattern db format (and the semantics of each element)? I've found the admin guide documentation lacking in terms of explicit description of the patter db format (the brief section that attempts to describe this is very thin).

Thanks,
-David

On Wednesday, April 16, 2014 3:13 AM, Péter Gyöngyösi <gyp at balabit.hu> wrote:
> Hi David,
> 
> Robert is right, the pattern version is hardcoded.Taking a glimpse at 
> the patterndb v3 and v4 XSDs I think the update should indeed be 
> trivial, the format is upwards compatible. I'll send a pull request 
> for this change in a minute.
> 
> Regarding the formatting: it uses the parsing mechanism of syslog-ng 
> internally. It works just as if you specified a file() source for 
> syslog-ng with
> flags(syslog-protocol) added. You can also give "--no-parse" for the 
> tool which makes it parse logs just like a file() source with 
> flags(no-parse). It wouldn't be too complicated to make it possible to 
> use all available file source flags but I never got around doing it.
> 
> cheers,
> Peter
> 
> 
> 
> 
> 
> On Wed, Apr 16, 2014 at 1:40 AM, David Hauck <davidh at netacquire.com>
> wrote:
> 
> 
> 	Hello,
> 
> 	Does anyone have an explanation for why a "pdbtool patternize"
> generated pattern db indicates it is version '3'? I'm running the 
> latest version of syslog-ng (3.5.4.1) so I was expecting that this would produce a version '4'
> pattern db. Easy enough to change in the generated XML, just wondering 
> why the latest generator wouldn't create the latest version.
> 
> 	Also, what is the nominal format for the log messages that the 
> 'patternize' command is able to process (i.e., would this be logs that 
> contain the nominally formatted syslog-ng output - e.g., via the 
> default
> template: template("$ISODATE $HOST $MSGHDR$MSG\n");). I've seen some 
> output that appears to suggest there's some nominal decoding of the 
> input log messages.
> 
> 	Thanks,
> 	-David
> 
> __________________________________________________________
> ______________ ______ 	Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng 	Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng 	FAQ:
> http://www.balabit.com/wiki/syslog-ng-faq
> 
> 
> 
> 
> 
> 
>

More information about the syslog-ng mailing list