The pattern database is organized as follows:
Figure 240: The structure of the pattern database
-
The pattern database consists of rulesets. A ruleset consists of a Program Pattern and a set of rules: the rules of a ruleset are applied to log messages if the name of the application that sent the message matches the Program Pattern of the ruleset. The name of the application (the content of the ${PROGRAM} macro) is compared to the Program Patterns of the available rulesets, and then the rules of the matching rulesets are applied to the message.
-
The Program Pattern can be a string that specifies the name of the appliation or the beginning of its name (for example, to match for sendmail, the program pattern can be sendmail, or just send), and the Program Pattern can contain pattern parsers. Note that pattern parsers are completely independent from the syslog-ng parsers used to segment messages. Additionally, every rule has a unique identifier: if a message matches a rule, the identifier of the rule is stored together with the message.
-
Rules consist of a message pattern and a class. The Message Pattern is similar to the Program Pattern, but is applied to the message part of the log message (the content of the ${MESSAGE} macro). If a message pattern matches the message, the class of the rule is assigned to the message (for example, Security, Violation, and so on).
-
Rules can also contain additional information about the matching messages, such as the description of the rule, an URL, name-value pairs, or free-form tags. This information is displayed by the syslog-ng Store Box(SSB) appliance in the email alerts (if alerts are requested for the rule), and are also displayed on the search interface.
-
Patterns can consist of literals (keywords, or rather, keycharacters) and pattern parsers.
NOTE: If the ${PROGRAM} part of a message is empty, rules with an empty Program Pattern are used to classify the message.
If the same Program Pattern is used in multiple rulesets, the rules of these rulesets are merged, and every rule is used to classify the message. Note that message patterns must be unique within the merged rulesets, but the currently only one ruleset is checked for uniqueness.
This section describes how patterns work. This information applies to program patterns and message patterns alike, even though message patterns are used to illustrate the procedure.
Figure 241: Applying patterns
Patterns can consist of literals (keywords, or rather, keycharacters) and pattern parsers. Pattern parsers attempt to parse a sequence of characters according to certain rules.
NOTE: Wildcards and regular expressions cannot be used in patterns. The @ character must be escaped, that is, to match for this character, you have to write @@ in your pattern. This is required because pattern parsers of syslog-ng are enclosed between @ characters.
When a new message arrives, syslog-ng attempts to classify it using the pattern database. The available patterns are organized alphabetically into a tree, and syslog-ng inspects the message character-by-character, starting from the beginning. This approach ensures that only a small subset of the rules must be evaluated at any given step, resulting in high processing speed. Note that the speed of classifying messages is practically independent from the total number of rules.
For example, if the message begins with the Apple string, only patterns beginning with the character A are considered. In the next step, syslog-ng selects the patterns that start with Ap, and so on, until there is no more specific pattern left.
Note that literal matches take precedence over pattern parser matches: if at a step there is a pattern that matches the next character with a literal, and another pattern that would match it with a parser, the pattern with the literal match is selected. Using the previous example, if at the third step there is the literal pattern Apport and a pattern parser Ap@STRING@, the Apport pattern is matched. If the literal does not match the incoming string (foe example, Apple), syslog-ng attempts to match the pattern with the parser. However, if there are two or more parsers on the same level, only the first one will be applied, even if it does not perfectly match the message.
If there are two parsers at the same level (for example, Ap@STRING@ and Ap@QSTRING@), it is random which pattern is applied (technically, the one that is loaded first). However, if the selected parser cannot parse at least one character of the message, the other parser is used. But having two different parsers at the same level is extremely rare, so the impact of this limitation is much less than it appears.
To display the rules of a ruleset, enter the name of the ruleset into the Search > Ruleset name field, and click Show. If you do not know the name of the ruleset, type the beginning letter(s) of the name, and the names of the matching rulesets will be displayed. If you are looking for a specific rule, enter a search term into the Program or Message field and select Search. The rulesets that contain matching rules will be displayed.
NOTE: Rulesets containing large number of rules may not display correctly.
Figure 242: Log > Pattern Database > Search > Ruleset name — Searching rules
The following procedure describes how to create a new ruleset and new rules.
To create a new ruleset and new rules
-
Select Log > Pattern Database > Create new ruleset.
TIP: If you search for a ruleset that does not exist, syslog-ng Store Box (SSB) lets you create a new ruleset with the name you were searching for.
-
Enter a name for the ruleset into the Name field.
Figure 243: Log > Pattern Database > Create new ruleset — Creating pattern database rulesets
-
Enter the name of the application or a pattern that matches the applications into the Program pattern field. For details, see Using pattern parsers.
-
(Optional) Add a description to the ruleset.
-
Add rules to the class.
-
Click in the Rules section.
-
Enter the beginning of the log message or a pattern that matches the log message into the Pattern field. For details, see Using pattern parsers.
NOTE: Only messages sent by applications matching the Program pattern will be affected by this pattern.
-
Select the type of the message from the Class field. This class will be assigned to messages matching the pattern of this rule. The following classes are available: Violation, Security, and System.
If alerting is enabled at Log > Options > Alerting, SSB automatically sends an alert if a message is classified as Violation.
-
(Optional) Add a description, custom tags, and name-value pairs to the rule.
-
Repeat the previous step to add more rules.
-
To apply your changes, click .