[syslog-ng] pdbtool 'patternize'

Fabien Wernli wernli at in2p3.fr
Thu Apr 17 17:46:35 CEST 2014


On Thu, Apr 17, 2014 at 02:57:32PM +0000, David Hauck wrote:
> I would expect only the rules defined in each 'program pattern' block would be inspected for a match given a particular 'program pattern' match against $PROGRAM. For example, incoming messages from 'sshd' would be compared against rules in the first ruleset (and not the second) and incoming messages from 'login' would be compared against rules in the second ruleset (and not the first).
> 
> Do I have this right?

Yes, you do. In my example, where many programs have the same logs, you could
implement it the following way:

    <ruleset ...>
      <patterns>
        <pattern>login</pattern>
        <pattern>sshd</pattern>
        <pattern>pam_afs</pattern>
        <pattern>vsftpd</pattern>
        ...
      </patterns>
      
      <rules>
         ... insert common rules but with specific examples here ...
      </rules>
   </ruleset>



More information about the syslog-ng mailing list