To classify messages using a pattern database, include a db-parser() statement in your syslog-ng configuration file using the following syntax:
parser <identifier> { db-parser(file("<database_filename>")); };
Note that using the parser in a log statement only performs the classification, but does not automatically do anything with the results of the classification.
The following statement uses the database located at /opt/syslog-ng/var/db/patterndb.xml.
parser pattern_db { db-parser( file("/opt/syslog-ng/var/db/patterndb.xml") ); };
To apply the patterns on the incoming messages, include the parser in a log statement:
log { source(s_all); parser(pattern_db); destination( di_messages_class); };
|
NOTE:
The default location of the pattern database file is /opt/syslog-ng/var/run/patterndb.xml. The file option of the db-parser() statement can be used to specify a different file, thus different db-parser statements can use different pattern databases. Later versions of syslog-ng will be able to dynamically generate a main database from separate pattern database files. |
The following destination separates the log messages into different files based on the class assigned to the pattern that matches the message (for example Violation and Security type messages are stored in a separate file), and also adds the ID of the matching rule to the message:
destination di_messages_class { file( "/var/log/messages-${.classifier.class}" template("${.classifier.rule_id};${S_UNIXTIME};${SOURCEIP};${HOST};${PROGRAM};${PID};${MESSAGE}\n") template-escape(no) ); };
For details on how to create your own pattern databases see The syslog-ng pattern database format.
If you want to automatically drop unmatched messages (that is, discard every message that does not match a pattern in the pattern database), use the drop-unmatched() option in the definition of the pattern database:
parser pattern_db { db-parser( file("/opt/syslog-ng/var/db/patterndb.xml") drop-unmatched(yes) ); };
Note that the drop-unmatched() option is available in syslog-ng OSE version
© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center