Op 20-02-11 14:25, Balazs Scheidler schreef:
Yes, you can, but at a cost. To match one message with two patterns, you will need two different pattern databases: parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));}; parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));}; Can you explain why you needed this? Why couldn't you do all processing in your single rule?
My question came from Postfix, where i tried correlating the smtpd "connect" and "disconnect" messages - which is quite trivial; but also would like a larger correlation that included the whole mail delivery. The connect/disconnect trail is simple: context-id="postfix-smtpd" context-scope="process" and off you go. The mail delivery trail is trickier: you cannot get the full trail with just a "process" scope, you need to look for the "queueid". This queueid starts with smtpd, so there you go: a single message from smtpd that has a meaning in two different contexts. Please note that the queue-id is not available in all smtpd messages, so it is not possible to add trail 1 to trail 2. (I hope my explanation is clear, if not, please say so; I have a couple of patterns and also a postfix log trail that I could include). Best regards, Valentijn