[syslog-ng] Create Pattern-DB rules
wernli at in2p3.fr
Fri Oct 3 10:35:34 CEST 2014
First things first, your patterndb file doesn't validate.
You should always test and validate the files using
`pdbtool test --validate <file.pdb>`. You have to put the text of your
example in a `<test_message>` element, without forgetting the `program`:
<test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
> * cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't
match any rule.
What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng
-Fvd` so you'll also get debugging information. Please post the relevant
info from the output, if you don't figure it out by yourself.
More information about the syslog-ng