The rule has a context-timeout attribute that specifies how long an entry is kept in the correlation state.
Yours specify zero, thus syslog-ng expires the entry as soon as the timestamp changes.
Dear all syslog-ng expert,
I have a pattern to combine multiple lines of postfix into a single entry. However, it does not work correctly. As I run syslog-ng -Fvde, I found out the reason is its context always expire after "from" log and "message-id" log which I don't know why. For example:
[2015-08-10T10:13:58.421999] Expiring patterndb correllation context; last_rule='bbbbbbbb-3916-2444-5238-7495cb64bf76', utc='1437843601'
I send you my debug output, patterndb and my log sample.
Please help me.
Thank you so much for your help.
PS: Sorry for my bad English.
--
Best Regards.
--
Tang Thanh Dat (Mr.) | System Administration Department
NETNAM CORPORATION
18 Hoang Quoc Viet, Cau Giay, Hanoi,Vietnam
(T)+84-4-37562227, (F)+84-4-37 561 888, (M)+84-(0)-9 32336692
(E) dat.tt@netnam.vn (W) www.netnam.vn
--
NetNam - one of the best ISPs and Solutions Providers in Vietnam,
specialized in corporate networks, managed services & security solutions.
--
Your Net, We Care!
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq