Hi to all. We're using syslog-ng 3.2.4 and we're having a weird behaviour in using macros with actions values. Here it is a sample pattern-db rule: <?xml version='1.0' encoding='UTF-8'?> <patterndb version='4' pub_date='2011-06-20'> <ruleset name='cron' id='cron-ruleset'> <pattern>/usr/sbin/cron</pattern> <rules> <rule provider="patterndb" id="cron-1" class="system" context-id="sample-context-id"> <patterns> <pattern>(@ESTRING:usracct.username:) @CMD (@ESTRING:details:)@</pattern> </patterns> <actions> <action trigger="match" condition="match('mymatch' value('details'))"> <message> <values> <value name="MESSAGE">[${details}] was found in a cron log message. Rule number [${.classifier.rule_id}]</value> <value name="TRIGGER">yes</value> </values> </message> </action> </actions> </rule> </rules> </ruleset> </patterndb> We tested the rule using pdtool match command and the output was: # pdbtool match -P "/usr/sbin/cron" -M "(root) CMD (mymatch)" MESSAGE=(root) CMD (mymatch) PROGRAM=/usr/sbin/cron .classifier.class=system .classifier.rule_id=cron-1 usracct.username=root details=mymatch HOST= MESSAGE=[] was found in a cron log message. Rule number [] PROGRAM=/usr/sbin/cron PID= TRIGGER=yes We instead expected the following output from pdtool match execution : # pdbtool match -P "/usr/sbin/cron" -M "(root) CMD (mymatch)" MESSAGE=(root) CMD (mymatch) PROGRAM=/usr/sbin/cron .classifier.class=system .classifier.rule_id=cron-1 usracct.username=root details=mymatch HOST= MESSAGE=[mymatch] was found in a cron log message. Rule number [cron-1 ] PROGRAM=/usr/sbin/cron PID= TRIGGER=yes Macro expansion was not executed in action values but it was in action definition... What are we missing? Thank you in advance for your help Denis Gasparin --- Edistar SRL