1PDBTOOL(1) The pdbtool manual page PDBTOOL(1)
2
6 pdbtool - An application to test and convert syslog-ng pattern database
7 rules
8
10 pdbtool [command] [options]
11
13 This manual page is only an abstract; for the complete documentation of
14 syslog-ng and pdbtool, see
15 The syslog-ng Administrator Guide [1].
16 The syslog-ng application can match the contents of the log messages to
18 a database of predefined message patterns (also called patterndb). By
19 comparing the messages to the known patterns, syslog-ng is able to
20 identify the exact type of the messages, tag the messages, and sort
21 them into message classes. The message classes can be used to classify
22 the type of the event described in the log message. The functionality
23 of the pattern database is similar to that of the logcheck project, but
24 the syslog-ng approach is faster, scales better, and is much easier to
25 maintain compared to the regular expressions of logcheck.
26 The pdbtool application is a utility that can be used to:
28 · test message patterns;
30 · convert an older pattern database to the latest database format;
32 · merge pattern databases into a single file;
34 · dump the RADIX tree built from the pattern database (or a part of
36 it) to explore how the pattern matching works.
37
39 match [options]
40 Use the match command to test the rules in a pattern database. The
42 command tries to match the specified message against the patterns of
43 the database, evaluates the parsers of the pattern, and also displays
44 which part of the message was parsed successfully. The command returns
45 with a 0 (success) or 1 (no match) return code and displays the
46 following information:
47 · the class assigned to the message (e.g., system, violation, etc.),
49 · the ID of the rule that matched the message, and
51 · the values of the parsers (if there were parsers in the matching
53 pattern).
54 The match command has the following options:
56 --color-out or -c
58 Color the terminal output to highlight the part of the message that
59 was successfully parsed.
60 --debug-pattern or -D
62 Print debugging information about the pattern matching.
63 --message or -M
65 The text of the log message to match (only the $MESSAGE part
66 without the syslog headers).
67 --pdb or -p
69 Name of the pattern database file to use.
70 --program or -P
72 Name of the program to use, as contained in the $PROGRAM part of
73 the syslog message.
74 Example:
76 pdbtool match -p patterndb.xml -P sshd -M "Accepted publickey for myuser from 127.0.0.1 port 59357 ssh2"
78
80 merge [options]
81 Use the merge command to combine separate pattern database files into a
83 single file (pattern databases are usually stored in separate files per
84 applications to simplify maintenance). If a file uses an older database
85 format, it is automatically updated to the latest format (V3). See the
86 The syslog-ng Administrator Guide [1] for details on the different
87 pattern database versions.
88 --directory or -D
90 The directory that contains the pattern database XML files to be
91 merged.
92 --pdb or -p
94 Name of the output pattern database file.
95 Example:
97 pdbtool merge --directory /home/me/mypatterns/ --pdb /var/lib/syslog-ng/patterndb.xml
99 Currently it is not possible to convert a file without merging, so if
102 you only want to convert an older pattern database file to the latest
103 format, you have to copy it into an empty directory.
104
106 dump [options]
107 Display the RADIX tree built from the patterns. This shows how are the
109 patterns represented in syslog-ng and it might also help to track down
110 pattern-matching problems. The dump utility can dump the tree used for
111 matching the PROGRAM or the MSG parts.
112 --pdb or -p
114 Name of the pattern database file to use.
115 --program or -P
117 Displays the RADIX tree built from the patterns belonging to the
118 $PROGRAM application.
119 --program-tree or -T
121 Display the $PROGRAM tree.
122 Example and sample output:
124 pdbtool dump -p patterndb.xml -P ´sshd´
126 ´p´
130 ´assword for´
131 @QSTRING:@
132 ´from´
133 @QSTRING:@
134 ´port ´
135 @NUMBER:@ rule_id=´fc49054e-75fd-11dd-9bba-001e6806451b´
136 ´ ssh´ rule_id=´fc55cf86-75fd-11dd-9bba-001e6806451b´
137 ´2´ rule_id=´fc4b7982-75fd-11dd-9bba-001e6806451b´
138 ´ublickey for´
139 @QSTRING:@
140 ´from´
141 @QSTRING:@
142 ´port ´
143 @NUMBER:@ rule_id=´fc4d377c-75fd-11dd-9bba-001e6806451b´
144 ´ ssh´ rule_id=´fc5441ac-75fd-11dd-9bba-001e6806451b´
145 ´2´ rule_id=´fc44a9fe-75fd-11dd-9bba-001e6806451b´
146
149 /opt/syslog-ng/etc/syslog-ng/
150 /opt/syslog-ng/etc/syslog-ng/syslog-ng.conf
152
154 The syslog-ng Administrator Guide [1]
155 syslog-ng.conf(5)
157 syslog-ng(8)
159 If you experience any problems or need help with syslog-ng, visit the
161 syslog-ng mailing list [2]
162 For news and notifications about the documentation of syslog-ng, visit
164 the BalaBit Documentation Blog[3].
165
167 This manual page was written by the BalaBit Documentation Team
168 <documentation@balabit.com>.
169
171 Copyright © 2000-2009 BalaBit IT Security Ltd. Published under the
172 Creative Commons Attribution-Noncommercial-No Derivative Works
173 (by-nc-nd) 3.0 license. See http://creativecommons.org/ for details.
174 The latest version is always available at
175 http://www.balabit.com/support/documentation.
176
178 1.
179 The syslog-ng Administrator Guide
181 http://www.balabit.com/support/documentation/
183 2.
185 syslog-ng mailing list
187 https://lists.balabit.hu/mailman/listinfo/syslog-ng
189 3. BalaBit Documentation Blog
191 http://robert.blogs.balabit.com
192 11/30/2009 PDBTOOL(1)