Patterndb packaging and link to webpage about syslog-ng HOT 8 CLOSED

what do you mean difficult to manage?

pdbtool merge?

On Thu, Jul 10, 2014 at 1:08 PM, Tusa Viktor [email protected]
wrote:

We should make debian packages from the
https://github.com/balabit/syslog-ng-patterndb
repo, to be able to distribute it easily. We should also make a link to
this repo from the syslog-ng.org site.

Further plans: We should also consolidate them: some files has .pdb
extensions, some
of them has .xml. And they are separated in different files, so it is hard
to load them,
or manage them.

—
Reply to this email directly or view it on GitHub
#161.

from syslog-ng.

I mean: If I want to load an ssh pattern, I have to find the file, and then set is a a filename. That's easy so far. But after a month, I want to parse dns logs. Then I create a new xml, and merge these two into them. Then if I want to add newer and newer patterns, I have to constantly merge them into my xml, instead of simply enumerating them, and let patterndb merge it during load time. And when the patterns are updated upstream, after checking out the new version I have to re-merge them again.

from syslog-ng.

I think it is sane to have them in separate files.
Moreover, the Debian package could take care of merging.
What I think more urgent is to normalize the naming scheme. I have an ongoing project at my organization, where this is part of the goals. I started using the patterndbs from github, and did quite a lot of changes and additions. It's a shame that cee project died, but maintaining things in Debian will go into the same direction: if debian users see the same key/values it will start to become "standard" so IMHO it is very important to keep things simple and stable.
I've given many hours ^w days of thought into normalization/categorization and I think I could help in this regard, maybe by sharing my naming scheme with you and having a discussion maybe on IRC or by phone.

What do you think?

from syslog-ng.

My first sentence was a bit miswritten: If I want to load an ssh pattern, I have to find the file, and then set it as a filename in dbparser.

from syslog-ng.

The merging can - and somewhat is - handled on the packaging level. We have update-patterndb, that merges everything under /etc/syslog-ng/patterndb.d/ into /var/lib/syslog-ng/patterndb.xml. So if you want to enable a set of rules, just symlink them to that dir, run the script and reload syslog-ng.

It should even be possible to hook up a generator within the syslog-ng config, that does the update & merge every time the config is reloaded.

from syslog-ng.

Regarding a common naming scheme: yes, please! Discussion on the mailing list, or in GitHub PRs or IRC (or anywhere else) would be welcome.

from syslog-ng.

Right, I opened issues on both the patterndb and the website repos, to track the various bits there. Leaving this open here too, in case it turns out that we need changes in syslog-ng itself too.

from syslog-ng.

The one in patterndb has been closed, I think this should be also. (I do not see it happening either way.)

from syslog-ng.