NXLog pattern database schema reference
The following is a list of XML schema elements for creating an NXLog pattern database used by the Pattern Matcher (xm_pattern) module.
capturedfield
The capturedfield element defines a field captured from the regular expression.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="capturedfield">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="name"/>
<xsd:element ref="type"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><capturedfield>
<name>AuthMethod</name>
<type>STRING</type>
</capturedfield>capturedvalue
The capturedvalue element is used to define a captured field, its value, and its type.
<xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/><capturedvalue>
<name>session_name</name>
<value>ssh</value>
<type>STRING</type>
</capturedvalue>case-sensitive
The case-sensitive element is used to control the matching type. If not specified then the actual pattern matching will be done case-sensitively.
- Type
-
boolean
- Parent elements
<xsd:element name="case-sensitive" type="xsd:boolean" minOccurs="0"/><case-sensitive>false</case-sensitive>created
The created element represents the creation date of the pattern database.
- Type
-
string
- Parent elements
<xsd:element name="created" type="xsd:string"/><created>2023-08-01 08:36:31</created>exec
The exec element is used to execute commands in the NXLog language when a record matches a pattern.
For example, to enrich log records or format values.
- Type
-
string
- Parent elements
<xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/><exec>
$TestField = 'test';
$TestField = $Testfield + 'value';
</exec>group
The group element is used to create a group of related patterns.
For example, patterns related to a specific application or log source.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="group">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="id" minOccurs="0"/>
<xsd:element ref="name"/>
<xsd:element ref="description" minOccurs="0"/>
<xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="pattern" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><group>
<name>ssh</name>
<id>42</id>
...
</group>matchfield
The matchfield element defines matching criteria for a field.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="matchfield">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="name"/>
<xsd:element name="type" type="matchtype" />
<xsd:element ref="value"/>
<xsd:element name="case-sensitive" type="xsd:boolean" minOccurs="0"/>
<xsd:element ref="capturedfield" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:simpleType name="matchtype">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="regexp"/>
<xsd:enumeration value="exact"/>
<xsd:enumeration value="startswith"/>
<xsd:enumeration value="endswith"/>
<xsd:enumeration value="contains"/>
</xsd:restriction>
</xsd:simpleType><matchfield>
<name>SourceName</name>
<type>exact</type>
<value>sshd</value>
<case-sensitive>false</case-sensitive>
</matchfield>name
The name element defines the name of the parent element or a field.
- Type
-
string
- Parent elements
<xsd:element name="value" type="xsd:string"/><name></name>pattern
The pattern element is used to define matching criteria.
- Type
-
complexType
- Parent elements
- Child elements
-
description, exec, id, matchfield, name, set, testcase
<xsd:element name="pattern">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="id" minOccurs="0"/>
<xsd:element ref="name"/>
<xsd:element ref="description" minOccurs="0"/>
<xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="set" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="testcase" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><pattern>
<id>1</id>
<name>ssh auth success</name>
<matchfield>
<name>Message</name>
...
</matchfield>
</pattern>patterndb
The patterndb element is the top-level element of the pattern database.
<xsd:element name="patterndb">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="created" type="xsd:string"/>
<xsd:element name="version" type="xsd:string" minOccurs="0"/>
<xsd:element ref="group" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><patterndb>
<created>2023-08-01 08:36:31</created>
<version>1</version>
...
</patterndb>set
The set element defines fields and values to be set if the event matches the pattern.
<xsd:element name="set">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="field" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><set>
<field>
<name>TaxonomyStatus</name>
<type>STRING</type>
<value>success</value>
</field>
</set>testcase
The testcase element defines a field and value to match in a pattern.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="testcase">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="field" maxOccurs="unbounded"/>
<xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element><testcase>
<field>
<name>application</name>
<value>sshd</value>
<type>string</type>
</field>
</testcase>type
The type element defines the data type of a field.
- Type
-
simpleType
- Parent elements
<xsd:element name="type">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="string"/>
<xsd:enumeration value="integer"/>
<xsd:enumeration value="binary"/>
<xsd:enumeration value="ipaddr"/>
<xsd:enumeration value="boolean"/>
<xsd:enumeration value="datetime"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element><type>STRING</type>value
The value element defines the value of a field.
- Type
-
string
- Parent elements
<xsd:element name="value" type="xsd:string"/><value>sshd</value>version
The version element represents the version of the schema.
- Type
-
string
- Parent elements
<xsd:element name="version" type="xsd:string" minOccurs="0"/><version>1</version>