Hi, it seems that you get mid from the second message (which triggers the action), and the icid value from the first one. To refer to a value of an earlier message, you have to suffix the referred value with @how-much-earlier-the-value-was-parsed, that is @1 for you, like <value name="MESSAGE">IronPort message complete: icid: $icid@1, mid: $mid</value> Admittedly, an example would be useful in the docs (http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...). HTH, Robert On Friday, December 17, 2010 18:35 CET, Martin Holste <mcholste@gmail.com> wrote:
I'm trying to build a correlation message for Ironport similar to the Postfix example that was referred to in the discussions. Here's what I have so far, but it's not quite working:
<ruleset> <rules> <rule class="10" id="10" context-id="ironport-mid" context-timeout="10" context-scope="program"> <patterns> <pattern>Info: Start MID @NUMBER:mid:@ ICID @NUMBER:icid:@</pattern> </patterns> <values> <value name="icid">$icid</value> </values> <examples> <example> <test_message program="ironport_mail_logs">Info: Start MID 144753300 ICID 696117306</test_message> </example> </examples> </rule> <rule class="10" id="10" context-id="ironport-mid" context-timeout="10" context-scope="program"> <patterns> <pattern>Info: Message finished MID @NUMBER:mid:@ done</pattern> </patterns> <actions> <action> <message> <values> <value name="MESSAGE">IronPort message complete: icid: $icid, mid: $mid</value> </values> </message> </action> </actions> <examples> <example> <test_message program="ironport_mail_logs">Info: Message finished MID 144753300 done</test_message> </example> </examples> </rule> </rules> </ruleset>
I'm getting the triggered action, but the icid is null while the mid is filled in. What am I missing? ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html