NXLog pattern database schema reference

The following is a list of XML schema elements for creating an NXLog pattern database used by the Pattern Matcher (xm_pattern) module.

capturedfield

The capturedfield element defines a field captured from the regular expression.

Type

complexType

Parent elements

matchfield

Child elements

name, type

Definition
<xsd:element name="capturedfield">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="name"/>
            <xsd:element ref="type"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<capturedfield>
  <name>AuthMethod</name>
  <type>STRING</type>
</capturedfield>

capturedvalue

The capturedvalue element is used to define a captured field, its value, and its type.

Type

complexType

Parent elements

testcase

Child elements

name, value, type

Definition
<xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/>
Example
<capturedvalue>
  <name>session_name</name>
  <value>ssh</value>
  <type>STRING</type>
</capturedvalue>

created

The created element represents the creation date of the pattern database.

Type

string

Parent elements

patterndb

Definition
<xsd:element name="created" type="xsd:string"/>
Example
<created>2023-08-01 08:36:31</created>

description

The description element is used for including comments in the schema.

Type

string

Parent elements

group, pattern

Definition
<xsd:element name="description" type="xsd:string"/>
Example
<description>A user-friendly description.</description>

exec

The exec element is used to execute commands in the NXLog language when a record matches a pattern. For example, to enrich log records or format values.

Type

string

Parent elements

pattern

Definition
<xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
Example
<exec>
  $TestField = 'test';
  $TestField = $Testfield + 'value';
</exec>

field

The field element is used to define a field, its value, and its type.

Type

complexType

Parent elements

set, testcase

Child elements

name, type, value

Definition
<xsd:element name="field" type="field"/>
Example
<field>
  <name>TaxonomyStatus</name>
  <type>STRING</type>
  <value>success</value>
</field>

group

The group element is used to create a group of related patterns. For example, patterns related to a specific application or log source.

Type

complexType

Parent elements

patterndb

Child elements

id, name, description, matchfield, pattern

Definition
<xsd:element name="group">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="id" minOccurs="0"/>
            <xsd:element ref="name"/>
            <xsd:element ref="description" minOccurs="0"/>
            <xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
            <xsd:element ref="pattern" minOccurs="0" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<group>
    <name>ssh</name>
    <id>42</id>
    ...
</group>

id

The id element defines the unique identifier of the parent element.

Type

long

Parent elements

group, pattern

Definition
<xsd:element name="id" type="xsd:long"/>
Example
<id>1</id>

matchfield

The matchfield element defines matching criteria for a field.

Type

complexType

Parent elements

group, pattern

Child elements

name, type, value, capturedfield

Definition
<xsd:element name="matchfield">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="name"/>
                <xsd:element name="type">
                    <xsd:simpleType>
                        <xsd:restriction base="xsd:string">
                            <xsd:pattern value="(REGEXP|[Rr]egexp)|(EXACT|[Ee]xact)"/>
                        </xsd:restriction>
                    </xsd:simpleType>
                </xsd:element>
            <xsd:element ref="value"/>
            <xsd:element ref="capturedfield" minOccurs="0" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<matchfield>
    <name>SourceName</name>
    <type>exact</type>
    <value>sshd</value>
</matchfield>

name

The name element defines the name of the parent element or a field.

Type

string

Parent elements

capturedfield, field, group, matchfield, pattern

Definition
<xsd:element name="value" type="xsd:string"/>
Example
<name></name>

pattern

The pattern element is used to define matching criteria.

Type

complexType

Parent elements

group

Child elements

description, exec, id, matchfield, name, set, testcase

Definition
<xsd:element name="pattern">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="id" minOccurs="0"/>
            <xsd:element ref="name"/>
            <xsd:element ref="description" minOccurs="0"/>
            <xsd:element ref="matchfield" minOccurs="0" maxOccurs="unbounded"/>
            <xsd:element ref="set" minOccurs="0" maxOccurs="unbounded"/>
            <xsd:element name="exec" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
            <xsd:element ref="testcase" minOccurs="0" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<pattern>
  <id>1</id>
  <name>ssh auth success</name>
  <matchfield>
    <name>Message</name>
    ...
  </matchfield>
</pattern>

patterndb

The patterndb element is the top-level element of the pattern database.

Type

complexType

Child elements

created, version, group

Definition
<xsd:element name="patterndb">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element name="created" type="xsd:string"/>
            <xsd:element name="version" type="xsd:string" minOccurs="0"/>
            <xsd:element ref="group" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<patterndb>
  <created>2023-08-01 08:36:31</created>
  <version>1</version>
  ...
</patterndb>

set

The set element defines fields and values to be set if the event matches the pattern.

Type

complexType

Parent elements

pattern

Child elements

field

Definition
<xsd:element name="set">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="field" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<set>
  <field>
    <name>TaxonomyStatus</name>
    <type>STRING</type>
    <value>success</value>
  </field>
</set>

testcase

The testcase element defines a field and value to match in a pattern.

Type

complexType

Parent elements

pattern

Child elements

field, capturedvalue

Definition
<xsd:element name="testcase">
    <xsd:complexType>
        <xsd:sequence>
            <xsd:element ref="field" maxOccurs="unbounded"/>
            <xsd:element name="capturedvalue" type="field" minOccurs="0" maxOccurs="unbounded"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:element>
Example
<testcase>
    <field>
        <name>application</name>
        <value>sshd</value>
        <type>string</type>
    </field>
</testcase>

type

The type element defines the data type of a field.

Type

simpleType

Parent elements

capturedfield, field, matchfield

Definition
<xsd:element name="type">
    <xsd:simpleType>
        <xsd:restriction base="xsd:string">
            <xsd:enumeration value="STRING"/>
            <xsd:enumeration value="INTEGER"/>
            <xsd:enumeration value="BINARY"/>
            <xsd:enumeration value="IPADDR"/>
            <xsd:enumeration value="IP4ADDR"/>
            <xsd:enumeration value="IP6ADDR"/>
            <xsd:enumeration value="BOOLEAN"/>
            <xsd:enumeration value="DATETIME"/>
        </xsd:restriction>
    </xsd:simpleType>
</xsd:element>
Example
<type>STRING</type>

value

The value element defines the value of a field.

Type

string

Parent elements

field, matchfield

Definition
<xsd:element name="value" type="xsd:string"/>
Example
<value>sshd</value>

version

The version element represents the version of the schema.

Type

string

Parent elements

patterndb

Definition
<xsd:element name="version" type="xsd:string" minOccurs="0"/>
Example
<version>1</version>