[syslog-ng] pdbtool 'patternize'

David Hauck davidh at netacquire.com
Thu Apr 17 16:57:32 CEST 2014


Hi,
 
On Thursday, April 17, 2014 1:08 AM, Fabien Wernli wrote:
> Hi,
> 
> On 16 Apr 2014 19:17, David Hauck <davidh at netacquire.com> wrote:
> 
>> OK, I get the gist of all of the above and so my remaining question 
>> is
>> then: "what's the point of the 'program pattern' in the ruleset 
>> definitions"?
> 
> It enables you to match similar messages with different $PROGRAM names.
> A good example is pam: the program can be any application using the 
> authentication module e.g. sshd, vsftpd, login, etc. but the message 
> is the same.

Sorry, I'm still not sure this clarifies it for me (and yes, the SSH example is a good one here). For example, if I have the following:

<patterndb ...>
  <ruleset ...>
    <pattern>sshd</pattern>  <!-- this is the first 'program pattern' -->
    <rules>
        ...
    </rules>
  </ruleset>
  <ruleset ...>
    <pattern>login</pattern>  <!-- this is the second 'program pattern' -->
    <rules>
        ...
    </rules>
  </ruleset>

I would expect only the rules defined in each 'program pattern' block would be inspected for a match given a particular 'program pattern' match against $PROGRAM. For example, incoming messages from 'sshd' would be compared against rules in the first ruleset (and not the second) and incoming messages from 'login' would be compared against rules in the second ruleset (and not the first).

Do I have this right?

Thanks,
-David
 
> Cheers


More information about the syslog-ng mailing list