[syslog-ng] Create Pattern-DB rules
Balazs Scheidler
bazsi77 at gmail.com
Sun Nov 2 08:26:52 CET 2014
You can always use pdbtool match to debug and match messages against a
patterndb database.
It even colorizes output how far a message matched.
On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli at in2p3.fr> wrote:
> Hi Justin,
>
> First things first, your patterndb file doesn't validate.
> You should always test and validate the files using
> `pdbtool test --validate <file.pdb>`. You have to put the text of your
> example in a `<test_message>` element, without forgetting the `program`:
>
> <examples>
> <example>
> <test_message program="sshd">Failed password for kaladhar from
> 127.0.1.1 port 44637 ssh2</test_message>
> </example>
> </examples>
>
> Now this probably doesn't explain why the parser doesn't match your
> messages.
>
> On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
> > * cat messagesAuth.2014.10.02.16unknown|unknown|*
>
> this means your message correctly made it to the pattern parser, but didn't
> match any rule.
> What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng
> -Fvd` so you'll also get debugging information. Please post the relevant
> info from the output, if you don't figure it out by yourself.
>
> Cheers
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141102/616d7b44/attachment.htm
More information about the syslog-ng
mailing list