[syslog-ng] Create Pattern-DB rules

Fabien Wernli wernli at in2p3.fr
Fri Oct 3 10:35:34 CEST 2014

Hi Justin,

First things first, your patterndb file doesn't validate.
You should always test and validate the files using
`pdbtool test --validate <file.pdb>`. You have to put the text of your
example in a `<test_message>` element, without forgetting the `program`:

        <test_message program="sshd">Failed password for kaladhar from port 44637 ssh2</test_message>

Now this probably doesn't explain why the parser doesn't match your messages.

On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
> * cat messagesAuth.2014.10.02.16unknown|unknown|*

this means your message correctly made it to the pattern parser, but didn't
match any rule.
What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng
-Fvd` so you'll also get debugging information. Please post the relevant
info from the output, if you don't figure it out by yourself.


More information about the syslog-ng mailing list