[syslog-ng] pdbtool 'patternize'

Thu Apr 17 18:21:34 CEST 2014

Hi Fabien,

On Thursday, April 17, 2014 8:47 AM, you wrote:
> On Thu, Apr 17, 2014 at 02:57:32PM +0000, David Hauck wrote:
>> I would expect only the rules defined in each 'program pattern'
>> block would
> be inspected for a match given a particular 'program pattern' match
> against $PROGRAM. For example, incoming messages from 'sshd' would be
> compared against rules in the first ruleset (and not the second) and
> incoming messages from 'login' would be compared against rules in the
> second ruleset (and not the first).
>> 
>> Do I have this right?
> 
> Yes, you do. In my example, where many programs have the same logs,
> you could implement it the following way:
> 
>     <ruleset ...>
>       <patterns>
>         <pattern>login</pattern>
>         <pattern>sshd</pattern>
>         <pattern>pam_afs</pattern>
>         <pattern>vsftpd</pattern>
>         ...
>       </patterns>
>       
>       <rules>
>          ... insert common rules but with specific examples here ...
>       </rules>
>    </ruleset>

Great, thanks for clarifying this. I'd asked this originally because I thought that I'd seen that this wasn't happening (I must have mistook the result for something else). By extension then I guess that  rulesets without 'program pattern' elements provide default rules for *any* incoming message with a non-zero $PROGRAM value (right?).

Cheers,
-David