FreeBSD Manual Pages
pdbtool(1) The pdbtool manual page pdbtool(1) NAME pdbtool --- An application to test and convert {{ site.prod- uct.short_name }} pattern database rules Synopsis pdbtool [command] [options] Description This manual page is only an abstract. The syslog-ng OSE application can match the contents of the log mes- sages to a database of predefined message patterns (also called pat- terndb). By comparing the messages to the known patterns, syslog-ng OSE is able to identify the exact type of the messages, tag the messages, and sort them into message classes. The message classes can be used to classify the type of the event described in the log message. The func- tionality of the pattern database is similar to that of the logcheck project, but the syslog-ng OSE approach is faster, scales better, and is much easier to maintain compared to the regular expressions of logcheck. The pdbtool application is a utility that can be used to: • test messages, or specific rules • convert an older pattern database to the latest database for- mat • merge pattern databases into a single file • automatically create pattern databases from a large amount of log messages • dump the RADIX tree built from the pattern database (or a part of it) to explore how the pattern matching works. The dictionary command dictionary [options] Lists every name-value pair that can be set by the rules of the pattern database. • --dump-tag or -T List the tags instead of the names of the name-value pairs. • --pdb <path-to-file> or -p <path-to-file> Name of the pattern database file to use. • --program <programname> or -P <programname> List only the name-value pairs that can be set for the messages of the specified ${PROGRAM} application. The dump command dump [options] Display the RADIX tree built from the patterns. This shows how are the patterns represented in syslog-ng OSE and it might also help to track down pattern-matching problems. The dump utility can dump the tree used for matching the PROGRAM or the MSG parts. • --debug or -d Enable debug/diagnostic messages on stderr. • --pdb or -p Name of the pattern database file to use. • --program or -P Displays the RADIX tree built from the patterns belonging to the ${PROGRAM} application. • --program-tree or -T Display the ${PROGRAM} tree. • --verbose or -v Enable verbose messages on stderr. Example and sample output pdbtool dump -p patterndb.xml -P 'sshd' 'p' 'assword for' @QSTRING:@ 'from' @QSTRING:@ 'port ' @NUMBER:@ rule_id='fc49054e-75fd-11dd-9bba-001e6806451b' ' ssh' rule_id='fc55cf86-75fd-11dd-9bba-001e6806451b' '2' rule_id='fc4b7982-75fd-11dd-9bba-001e6806451b' 'ublickey for' @QSTRING:@ 'from' @QSTRING:@ 'port ' @NUMBER:@ rule_id='fc4d377c-75fd-11dd-9bba-001e6806451b' ' ssh' rule_id='fc5441ac-75fd-11dd-9bba-001e6806451b' '2' rule_id='fc44a9fe-75fd-11dd-9bba-001e6806451b' The match command match [options] Use the match command to test the rules in a pattern database. The com- mand tries to match the specified message against the patterns of the database, evaluates the parsers of the pattern, and also displays which part of the message was parsed successfully. The command returns with a 0 (success) or 1 (no match) return code and displays the following in- formation: • the class assigned to the message (that is, system, violation, and so on), • the ID of the rule that matched the message, and • the values of the parsers (if there were parsers in the match- ing pattern). The match command has the following options: • --color-out or -c Color the terminal output to highlight the part of the message that was successfully parsed. • --debug or -d Enable debug/diagnostic messages on stderr. • --debug-csv or -C Print the debugging information returned by the --debug-pattern option as comma-separated values. • --debug-pattern or -D Print debugging information about the pattern matching. See also the --debug-csv option. • --file=<filename-with-path> or -f Process the messages of the specified log file with the pattern database. This option allows to classify messages offline, and to apply the pattern database to already existing logfiles. To read the messages from the standard input (stdin), specify a hy- phen (-) character instead of a filename. • --filter=<filter-expression> or -F Print only messages matching the specified syslog-ng OSE filter expression. • --message or -M The text of the log message to match (only the MESSAGE part without the syslog headers). • --pdb or -p Name of the pattern database file to use. • --program or -P Name of the program to use, as contained in the PROGRAM part of the syslog message. • --template=<template-expression> or -T A syslog-ng OSE template expression that is used to format the output messages. • --verbose or -v Enable verbose messages on stderr. Example - check The following command checks if the patterndb.xml file recognizes the Accepted publickey for myuser from 127.0.0.1 port 59357 ssh6 message: pdbtool match -p patterndb.xml -P sshd -M "Accepted publickey for myuser from 127.0.0.1 port 59357 ssh6" Example - apply The following example applies the sshd.pdb pattern database file to the log messages stored in the /var/log/messages file, and displays only the messages that received a useracct tag. pdbtool match -p sshd.pdb \ file /var/log/messages \ filter tags(usracct); The merge command merge [options] Use the merge command to combine separate pattern database files into a single file (pattern databases are usually stored in separate files per applications to simplify maintenance). If a file uses an older database format, it is automatically updated to the latest format (V3). See the The syslog-ng OSE Administrator Guide for details on the different pat- tern database versions. • --debug or -d Enable debug/diagnostic messages on stderr. • --directory or -D The directory that contains the pattern database XML files to be merged. • --glob or -G Specify filenames to be merged using a glob pattern, for exam- ple, using wildcards. For details on glob patterns, see man glob. This pattern is applied only to the filenames, and not on directory names. • --pdb or -p Name of the output pattern database file. • --recursive or -r Merge files from subdirectories as well. • --sort or -s Sort files into alphabetic order during the merge (first sort by filename, then by directory name). • --verbose or -v Enable verbose messages on stderr. Example - merge pdbtool merge --recursive --directory /home/me/mypatterns/ --pdb /var/lib/syslog-ng/patterndb.xml Currently it is not possible to convert a file without merging, so if you only want to convert an older pattern database file to the latest format, you have to copy it into an empty directory. The patternize command patternize [options] Automatically create a pattern database from a log file containing a large number of log messages. The resulting pattern database is printed to the standard output (stdout). The pdbtool patternize command uses a data clustering technique to find similar log messages and replacing the differing parts with @ESTRING:: @ parsers. For details on pattern databases and message parsers, see the The syslog-ng OSE Administrator Guide <https://www.syslog-ng.com/>. The patternize command is available only in version 3.2 and later. • --debug or -d Enable debug/diagnostic messages on stderr. • --file=<path> or -f The logfile containing the log messages to create patterns from. To receive the log messages from the standard input (stdin), use -. • --iterate-outliers or -o Recursively iterate on the log lines to cover as many log mes- sages with patterns as possible. • --named-parsers or -n The number of example log messages to include in the pattern database for every pattern. Default value: 1 • --no-parse or -p Do not parse the input file, treat every line as the message part of a log message. • --samples=<number-of-samples> Include a generated name in the parsers, for example, .dict.string1, .dict.string2, and so on. • --support=<number> or -S A pattern is added to the output pattern database if at least the specified percentage of log messages from the input logfile match the pattern. For example, if the input logfile contains 1000 log messages and the --support=3.0 option is used, a pat- tern is created only if the pattern matches at least 3 percent of the log messages (that is, 30 log messages). If patternize does not create enough patterns, try to decrease the support value. Default value: 4.0 • --verbose or -v Enable verbose messages on stderr. Example - patternize pdbtool patternize --support=2.5 --file=/var/log/messages The test command test [options] Use the test command to validate a pattern database XML file. Note that you must have the xmllint application installed. The test command is available only in syslog-ng OSE version 3.2 and later. • --color-out or -c Enable coloring in terminal output. • --debug or -d Enable debug/diagnostic messages on stderr. • --debug or -D Print debugging information on non-matching patterns. • --rule-id or -r Test only the patterndb rule (specified by its rule id) against its example. • --validate Validate a pattern database XML file. • --verbose or -v Enable verbose messages on stderr. Example - test pdbtool test --validate /home/me/mypatterndb.pdb Files /usr/local/ /usr/local/etc/syslog-ng.conf NOTE: If you experience any problems or need help with syslog-ng OSE, see the syslog-ng OSE Administration Guide[1], or visit the syslog-ng OSE mailing list[2]. For news and notifications about syslog-ng OSE, visit the syslog-ng OSE blogs[3]. AUTHOR This manual page was generated from the syslog-ng OSE Administration Guide[1], which was written by several contributors to whom we'd like to extend our sincere thanks. COPYRIGHT NOTES [1] syslog-ng OSE Administration Guide <https://syslog-ng.github.io/admin-guide/README> [2] syslog-ng OSE mailing list <https://lists.balabit.hu/mailman/listinfo/syslog-ng> [3] syslog-ng OSE blogs <https://syslog-ng.com/blog/> 4.9.0 03 September 2025 pdbtool(1)
NAME | Synopsis | Description | The dictionary command | The dump command | The match command | The merge command | The patternize command | The test command | Files | AUTHOR | COPYRIGHT | NOTES
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pdbtool&sektion=1&manpath=FreeBSD+Ports+15.0>