NXLog pattern database schema reference
The following is a list of XML schema elements for creating an NXLog pattern database used by the Pattern Matcher (xm_pattern) module.
capturedfield
The capturedfield
element defines a field captured from the regular expression.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="capturedfield">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="name"/>
<xsd:element ref="type"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<capturedfield>
<name>AuthMethod</name>
<type>STRING</type>
</capturedfield>
capturedvalue
The capturedvalue
element is used to define a captured field, its value, and its type.
<xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/>
<capturedvalue>
<name>session_name</name>
<value>ssh</value>
<type>STRING</type>
</capturedvalue>
created
The created
element represents the creation date of the pattern database.
- Type
-
string
- Parent elements
<xsd:element name="created" type="xsd:string"/>
<created>2023-08-01 08:36:31</created>
exec
The exec
element is used to execute commands in the NXLog language when a record matches a pattern.
For example, to enrich log records or format values.
- Type
-
string
- Parent elements
<xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<exec>
$TestField = 'test';
$TestField = $Testfield + 'value';
</exec>
group
The group
element is used to create a group of related patterns.
For example, patterns related to a specific application or log source.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="group">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="id" minOccurs="0"/>
<xsd:element ref="name"/>
<xsd:element ref="description" minOccurs="0"/>
<xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="pattern" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<group>
<name>ssh</name>
<id>42</id>
...
</group>
matchfield
The matchfield
element defines matching criteria for a field.
<xsd:element name="matchfield">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="name"/>
<xsd:element name="type">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:pattern value="(REGEXP|[Rr]egexp)|(EXACT|[Ee]xact)"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<xsd:element ref="value"/>
<xsd:element ref="capturedfield" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<matchfield>
<name>SourceName</name>
<type>exact</type>
<value>sshd</value>
</matchfield>
name
The name
element defines the name of the parent element or a field.
- Type
-
string
- Parent elements
<xsd:element name="value" type="xsd:string"/>
<name></name>
pattern
The pattern
element is used to define matching criteria.
- Type
-
complexType
- Parent elements
- Child elements
-
description, exec, id, matchfield, name, set, testcase
<xsd:element name="pattern">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="id" minOccurs="0"/>
<xsd:element ref="name"/>
<xsd:element ref="description" minOccurs="0"/>
<xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="set" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element ref="testcase" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<pattern>
<id>1</id>
<name>ssh auth success</name>
<matchfield>
<name>Message</name>
...
</matchfield>
</pattern>
patterndb
The patterndb
element is the top-level element of the pattern database.
<xsd:element name="patterndb">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="created" type="xsd:string"/>
<xsd:element name="version" type="xsd:string" minOccurs="0"/>
<xsd:element ref="group" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<patterndb>
<created>2023-08-01 08:36:31</created>
<version>1</version>
...
</patterndb>
set
The set
element defines fields and values to be set if the event matches the pattern.
<xsd:element name="set">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="field" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<set>
<field>
<name>TaxonomyStatus</name>
<type>STRING</type>
<value>success</value>
</field>
</set>
testcase
The testcase
element defines a field and value to match in a pattern.
- Type
-
complexType
- Parent elements
- Child elements
<xsd:element name="testcase">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="field" maxOccurs="unbounded"/>
<xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<testcase>
<field>
<name>application</name>
<value>sshd</value>
<type>string</type>
</field>
</testcase>
type
The type
element defines the data type of a field.
- Type
-
simpleType
- Parent elements
<xsd:element name="type">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="STRING"/>
<xsd:enumeration value="INTEGER"/>
<xsd:enumeration value="BINARY"/>
<xsd:enumeration value="IPADDR"/>
<xsd:enumeration value="IP4ADDR"/>
<xsd:enumeration value="IP6ADDR"/>
<xsd:enumeration value="BOOLEAN"/>
<xsd:enumeration value="DATETIME"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<type>STRING</type>
value
The value
element defines the value of a field.
- Type
-
string
- Parent elements
<xsd:element name="value" type="xsd:string"/>
<value>sshd</value>
version
The version
element represents the version of the schema.
- Type
-
string
- Parent elements
<xsd:element name="version" type="xsd:string" minOccurs="0"/>
<version>1</version>