[syslog-ng] No PatternDB Matches

Michael Starks syslog-ng-list at michaelstarks.com
Tue Jul 1 23:49:45 CEST 2014

x-posted from ELSA mailing list; no replies there so please excuse the 

I am trying to add an additional ASA log message that is unclassified in 
ELSA. To make a long story short, *nothing" seems to be matching with 
pdbtool. Here is the line I am trying to work with:

Jun 23 00:00:05 %ASA-3-106100: access-list INOUT denied tcp 
inside/ -> outside/ hit-cnt 1 first hit 
[0x59bca63e, 0x620e5b55]

Putting that aside for the moment since I can't get it to work, I went 
straight to the syslog-ng docs 
and used the example. I created /etc/elsa/patterns.d/test.xml with this 

<patterndb version='4' pub_date='2010-10-17'>
     <ruleset name='ssh' id='123456678'>
                 <rule provider='me' id='182437592347598' class='system'>
                         <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @ 
@NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>

I then tested with this line:

/usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml 
-M "Accepted password for sampleuser from port 42156 ssh2"

The result is this:

MESSAGE=Accepted password for sampleuser from port 42156 

Details are:

[root at hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V
syslog-ng 3.2.4
Installer-Version: 3.2.4
Compile-Date: May 23 2012 09:58:14
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off

[root at hostname elsa]# cat /etc/redhat-release
Oracle Linux Server release 6.5

Thank you in advance.

More information about the syslog-ng mailing list