Hi, On Fri, 2011-02-11 at 16:48 +0100, Valentijn Sessink wrote:
Hello list,
After playing with correlation for a while, here are a few remarks on it's workings. I have played with syslog-ng 3.2.2, built from source on an Ubuntu 10.04 machine.
For some reason, the "@1", "@2"... etcetera specifiers needed to be all over the place to be able to see any variable at all. For example, the rule below describes the last message of a Postfix log trail. Note that even the context-id is specified as "${queueid}@1". All other references also have an "@" sign. Without the @, the variables seem just empty.
<rule id='X' context-id="${queueid}@1" context-scope="host" provider="openoffice" class="maildelivery"> <patterns> <pattern>@ESTRING:queueid: @removed</pattern> </patterns> <actions> <action> <message> <values> <value name="MESSAGE">${queueid}@1 mail to=<${toaddress}@2> from=<${pffrom}@3> connection from=${pfremotehost}@5[${pfremoteip}@5] msgid=<${msgid}@4> orig_to=<${origto}@2> delay=${deliverystatus}@2</value> </values> </message> </action> </actions> </rule>
Is this how it's meant to be?
hmm.. no, @1 should be the one before the current message. I've just tried to reproduce this with 3.3 but it works fine. ... seems to be work OK in 3.2 too. how did you reproduce this exactly?
Then, when trying to use the "grep" template function in this message, I can't seem to find out how it works. Using the exact example from the documentation, $(grep ("${username}" == "root") ${auth_method}), I only get an error: Error parsing filter expression, syntax error, unexpected $undefined in <string> at line 1, column 3:
(${ ^
The error message seems to indicate that the quotes are missing. Let me check this too. Yes, that's the problem. hmm.. The XML shouldn't do this, as this is a text node, not an attribute node and there '"' doesn't matter. I'll have to dig deeper.
Trying to alter the message, using "$something" == "value", doesn't seem to have an effect, i.e. I can't get "grep" to find any values. In fact, I'm not even sure if I can use the names from the (E/Q)STRING parsers right away, or if I need to have <value name="something"> tags before I can grep for them.
grep is applied to the context, and the current message is part of the context. if you want to grep for name-value pairs of the current message then yes, the values need come before the grep.
In fact, most of the time, the grep I would like to use is something like: $(grep ( "$variable" != "" ) "$variable"). But whatever I try, no results from grep.
Could anyone please clarify?
-- Bazsi