The rule has a context-timeout attribute that specifies how long an entry is kept in the correlation state. Yours specify zero, thus syslog-ng expires the entry as soon as the timestamp changes. On Aug 10, 2015 06:33, "Thanh Dat" <dat.tt@netnam.vn> wrote:
Dear all syslog-ng expert,
I have a pattern to combine multiple lines of postfix into a single entry. However, it does not work correctly. As I run syslog-ng -Fvde, I found out the reason is its context always expire after "from" log and "message-id" log which I don't know why. For example: [2015-08-10T10:13:58.421999] Expiring patterndb correllation context; last_rule='bbbbbbbb-3916-2444-5238-7495cb64bf76', utc='1437843601'
I send you my debug output, patterndb and my log sample. Please help me. Thank you so much for your help.
PS: Sorry for my bad English. --
Best Regards.
-- Tang Thanh Dat (Mr.) | System Administration Department NETNAM CORPORATION 18 Hoang Quoc Viet, Cau Giay, Hanoi,Vietnam (T)+84-4-37562227, (F)+84-4-37 561 888, (M)+84-(0)-9 32336692 (E) dat.tt@netnam.vn (W) www.netnam.vn -- NetNam - one of the best ISPs and Solutions Providers in Vietnam, specialized in corporate networks, managed services & security solutions. -- Your Net, We Care!
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq