[syslog-ng] Create Pattern-DB rules

Fabien Wernli wernli at in2p3.fr
Tue Sep 30 21:34:44 CEST 2014


Hi again,

On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:
> example: what to put in place of timezone ,hostname, program etc.
> especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app
> sshd[11019]: [ID 800047
> > auth.notice] " rest of the message is written in the example you provided

First things first, you shouldn't need to worry about date, host and
program: they are automatically being parsed by syslog-ng and cast
respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is being used by patterndb to separate rulesets. So in
your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ...

Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite
all messages to drop the annoying prefix, and only then pass the result to
the dbparser.

If you don't know how to do that, I can be of further assistance :-)

cheers



More information about the syslog-ng mailing list