On Tue, 2011-11-08 at 17:27 +0300, Hery Fanomezantsoa wrote:
When using correlating message with syslog-ng 3.3.1 i get only the value in the last matching rule but not the earlier. Here is my patterndb.xml
<?xml version='1.0' encoding='UTF-8'?> <patterndb version='3' pub_date='2011-11-07'> <ruleset name='ecelerity' id='12345678'> <pattern>ecelerity</pattern> <rules> <rule provider='me' id='123475980' class='system' context-scope='program' context-id='${MSG.UID}' context-timeout='10'> <patterns> <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:| @ORCPTS|@ANYSTRING:LOG.VAL:@</pattern> </patterns> <examples> <example> <test_message program="ecelerity">1319550976| c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833|ORCPTS| s.andriamampianina@***.**</test_message> <test_values> <test_value name="LOG.UTC">1319550976</test_value> <test_value name="LOG.UID">c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833</test_value> <test_value name="LOG.VAL">s.andriamampianina@***.**</test_value> </test_values> </example> </examples>
</rule> <rule provider='me' id='123475981' class='system' context-id='${MSG.UID}'> <patterns> <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:| @SENDER|@ANYSTRING:LOG.VAL:@</pattern> </patterns> <actions> <action> <message> <values> <value name="MESSAGE">From ${LOG.VAL}@1 to ${LOG.VAL}@2.</value> <value name="TRIGGER">yes</value> </values> </message> </action> </actions> </rule> </rules> </ruleset> </patterndb>
And the message i get is "from *****@**.** to ." Where did I get wrong?
You seem to be using ${MSG.UID} as the context-id, however you are defining ${LOG.UID} only. Is it possible it's a typo? -- Bazsi