[syslog-ng] Create Pattern-DB rules
Fabien Wernli
wernli at in2p3.fr
Fri Oct 3 10:35:34 CEST 2014
Hi Justin,
First things first, your patterndb file doesn't validate.
You should always test and validate the files using
`pdbtool test --validate <file.pdb>`. You have to put the text of your
example in a `<test_message>` element, without forgetting the `program`:
<examples>
<example>
<test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message>
</example>
</examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
> * cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't
match any rule.
What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng
-Fvd` so you'll also get debugging information. Please post the relevant
info from the output, if you don't figure it out by yourself.
Cheers
More information about the syslog-ng
mailing list