
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Exchange Server">

<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>

</head>

<body>

<div>

<div>Pdbtool output does not show tags until 3.4.2</div>

<div><br>

</div>

<div><br>

</div>

<div>

<div style="font-size:75%; color:#575757">Sent from Samsung Mobile</div>

</div>

<br>

<br>

<br>

-------- Original message --------<br>

From: mailing lists &lt;listas.correo@yahoo.es&gt; <br>

Date: 08-06-2013 1:01 AM (GMT-08:00) <br>

To: syslog-ng@lists.balabit.hu <br>

Subject: [syslog-ng] problem tagging with patterndb (syslog-ng 3.4.1) <br>

<br>

<br>

</div>

<font size="2"><span style="font-size:10pt;">

<div class="PlainText">Hello all,<br>

<br>

I am having a problem understanding patterndb and tags, for the following rule the log line is matched but tags are not settled in pdbtool output. What am i missing here?<br>

<br>

<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rule id=&quot;dad57bd5-6f9e-47b8-9e9f-401e3eb34334&quot; provider=&quot;user&quot; class=&quot;system&quot;&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;patterns&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;pattern&gt;@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&amp;lt;&amp;gt;@, orig_to=@QSTRING:postfix.orig_to:&amp;lt;&amp;gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@

 dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@&lt;/pattern&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;pattern&gt;@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&amp;lt;&amp;gt;@, orig_to=@QSTRING:postfix.orig_to:&amp;lt;&amp;gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@

 dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@&lt;/pattern&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;pattern&gt;@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&amp;lt;&amp;gt;@, orig_to=@QSTRING:postfix.orig_to:&amp;lt;&amp;gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@

 dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @(@ESTRING:postfix.status.code1: @@ESTRING:postfix.status.code2: @@EMAIL:postfix.status.recipient:&amp;lt;&amp;gt; @@ESTRING:postfix.status.qid: @Saved)&lt;/pattern&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/patterns&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tags&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tag&gt;postfix&lt;/tag&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;tag&gt;lmtp&lt;/tag&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/tags&gt;<br>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/rule&gt;<br>

<br>

<br>

$ pdbtool match -P 'postfix' -p postfix.pdb -D -c -f mail.log<br>

<br>

Pattern matching part:<br>

@ESTRING:postfix.qid=B5BBAADB@ to=@QSTRING:postfix.to=user002@example.com@, orig_to=@QSTRING:postfix.orig_to=noreply@example.com@, relay=@ESTRING:postfix.relay.hostname=lmtp.example.com@@ESTRING:postfix.relay.path=10.180.242.142@:24, delay=@ESTRING:postfix.delay=0.07@

 delays=@ESTRING:postfix.delays.1=0.04@@ESTRING:postfix.delays.2=0@@ESTRING:postfix.delays.3=0@@ESTRING:postfix.delays.4=0.03@ dsn=@ESTRING:postfix.dsn=2.0.0@ status=@ESTRING:postfix.status=sent@(@ESTRING:postfix.status.code1=250@@ESTRING:postfix.status.code2=2.0.0@@EMAIL:postfix.status.recipient=noreply@example.com@@ESTRING:postfix.status.qid=XP52K7Bp&#43;1G/FAAAtCZERg@Saved)<br>

Matching part:<br>

B5BBAADB: to=&lt;user002@example.com&gt;, orig_to=&lt;noreply@example.com&gt;, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 &lt;noreply@example.com&gt; XP52K7Bp&#43;1G/FAAAtCZERg Saved)<br>

Values:<br>

HOST=mailserver<br>

MESSAGE=B5BBAADB: to=&lt;user002@example.com&gt;, orig_to=&lt;noreply@example.com&gt;, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 &lt;noreply@example.com&gt; XP52K7Bp&#43;1G/FAAAtCZERg Saved)<br>

PROGRAM=postfix/lmtp<br>

PID=29484<br>

LEGACY_MSGHDR=postfix/lmtp[29484]: <br>

.classifier.class=system<br>

.classifier.rule_id=dad57bd5-6f9e-47b8-9e9f-401e3eb34334<br>

postfix.qid=B5BBAADB<br>

postfix.to=user002@example.com<br>

postfix.orig_to=noreply@example.com<br>

postfix.relay.hostname=lmtp.example.com<br>

postfix.relay.path=10.180.242.142<br>

postfix.delay=0.07<br>

postfix.delays.1=0.04<br>

postfix.delays.2=0<br>

postfix.delays.3=0<br>

postfix.delays.4=0.03<br>

postfix.dsn=2.0.0<br>

postfix.status=sent<br>

postfix.status.code1=250<br>

postfix.status.code2=2.0.0<br>

postfix.status.recipient=noreply@example.com<br>

postfix.status.qid=XP52K7Bp&#43;1G/FAAAtCZERg<br>

TAGS=<br>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</div>

</span></font>

</body>

</html>