If I change it to <value name="MESSAGE">IronPort message complete: icid: $icid@2, mid: $mid</value> then the output shows "IronPort message complete: icid: @2, mid: 285561684" no matter what value I use for the integer. If it doesn't exist then it should be null. This does bring up the problem of when you don't know how many lines back your variable exists. Can you use $(grep) in that situation? On Fri, Dec 17, 2010 at 1:35 PM, Fekete Róbert <frobert@balabit.hu> wrote:
Hi,
it seems that you get mid from the second message (which triggers the action), and the icid value from the first one. To refer to a value of an earlier message, you have to suffix the referred value with @how-much-earlier-the-value-was-parsed, that is @1 for you, like <value name="MESSAGE">IronPort message complete: icid: $icid@1, mid: $mid</value>
Admittedly, an example would be useful in the docs (http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...).
HTH,
Robert
On Friday, December 17, 2010 18:35 CET, Martin Holste <mcholste@gmail.com> wrote:
I'm trying to build a correlation message for Ironport similar to the Postfix example that was referred to in the discussions. Here's what I have so far, but it's not quite working:
<ruleset> <rules> <rule class="10" id="10" context-id="ironport-mid" context-timeout="10" context-scope="program"> <patterns> <pattern>Info: Start MID @NUMBER:mid:@ ICID @NUMBER:icid:@</pattern> </patterns> <values> <value name="icid">$icid</value> </values> <examples> <example> <test_message program="ironport_mail_logs">Info: Start MID 144753300 ICID 696117306</test_message> </example> </examples> </rule> <rule class="10" id="10" context-id="ironport-mid" context-timeout="10" context-scope="program"> <patterns> <pattern>Info: Message finished MID @NUMBER:mid:@ done</pattern> </patterns> <actions> <action> <message> <values> <value name="MESSAGE">IronPort message complete: icid: $icid, mid: $mid</value> </values> </message> </action> </actions> <examples> <example> <test_message program="ironport_mail_logs">Info: Message finished MID 144753300 done</test_message> </example> </examples> </rule> </rules> </ruleset>
I'm getting the triggered action, but the icid is null while the mid is filled in. What am I missing? ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html