Hi all,

I'm using the pattern-db to extract values from a firewall's log. 

This far, everything's working great.

The log looks something like this:

Jan 20 2016 21:48:45: %ASA-7-746012: user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user 

Using pdbtool and matching the log against the xml pattern file, this is showing me good results :


:$pdbtool match -P "%ASA-7-746012" -M "user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user" -p /etc/syslog-ng/patterndb.d/vpn-parser-up.xml -D -c 
Pattern matching part:
user-identity: Add IP-User mapping @IPv4:VPN_IP=10.10.99.7@ - LOCAL\@STRING:VPN_USER=alex@ Succeeded - VPN user
Matching part:
user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user
Values:
MESSAGE=user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN user
PROGRAM=%ASA-7-746012
.classifier.class=vpn.access_log
.classifier.rule_id=019045a7383c252e57c20435ae5bf86c
VPN_IP=10.10.99.7
VPN_USER=alex
TAGS=


Here's the xml file

<patterndb version='4' pub_date='2015-12-22'>
  <ruleset id='04ba26e756011614c57cf469fed7b5c0' name='%ASA-7-746012'>
    <pattern>%ASA-7-746012</pattern>
     <rules>
      <rule class='vpn.access_log' id='019045a7383c252e57c20435ae5bf86c' provider='alex'>
        <patterns>
                <pattern>user-identity: Add IP-User mapping @IPv4:VPN_IP@ - LOCAL\@STRING:VPN_USER@ Succeeded - VPN user</pattern>
        </patterns>
        </rule>   
         </rules>
  </ruleset>
</patterndb>


Now, the problem lies on the destination which is using the smtp driver.

destination vpn_mail_up { 
        smtp(
                host("x.x.x.x")
                port(25)
                from("alex@x.y" "alex@x.y")
                to("${VPN_USER}@x.y")
                subject("vpn connection")
                body("vpn connection from ${VPN_USER}  with IP: ${VPN_IP}\n")
        );
};

The variable is functional inside the body() but not in the to() field.

Here's a dump I extracted directly from the server on the tcp session to the mail server:

RCPT.TO:<${VPN_USER}@x.y>..
BDAT.411..
X-Mailer:.syslog-ng.3.5.6..
Date:.Wed,.20.Jan.2016.21:51:51.+0100..
From:.alex@x.y..
Message-Id:.<1453323111.149975.19608@debian>..
To:."${VPN_USER}@x.y".<${VPN_USER}@x.y>..
Subject:.vpn.connection..
.BDAT.68..vpn.connection.from.alex..with.IP:.10.10.99.7.BDAT.2.LAST..

The variable is being populated in the body message but not the recipient. 

Is there any chance the variable could only be used once (!?) or not being able to be used inside the to() ? 

Regards,

Alex