Hi to all.
We're using syslog-ng 3.2.4 and we're having a weird behaviour in using macros with actions values.
Here it is a sample pattern-db rule:
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2011-06-20'>
<ruleset name='cron' id='cron-ruleset'>
<pattern>/usr/sbin/cron</pattern>
<rules>
<rule provider="patterndb" id="cron-1" class="system" context-id="sample-context-id">
<patterns>
<pattern>(@ESTRING:usracct.username:) @CMD (@ESTRING:details:)@</pattern>
</patterns>
<actions>
<action trigger="match" condition="match('mymatch' value('details'))">
<message>
<values>
<value name="MESSAGE">[${details}] was found in a cron log message. Rule number [${.classifier.rule_id}]</value>
<value name="TRIGGER">yes</value>
</values>
</message>
</action>
</actions>
</rule>
</rules>
</ruleset>
</patterndb>
We tested the rule using pdtool match command and the output was:
# pdbtool match -P "/usr/sbin/cron" -M "(root) CMD (mymatch)"
MESSAGE=(root) CMD (mymatch)
PROGRAM=/usr/sbin/cron
.classifier.class=system
.classifier.rule_id=cron-1
usracct.username=root
details=mymatch
HOST=
MESSAGE=[] was found in a cron log message. Rule number []
PROGRAM=/usr/sbin/cron
PID=
TRIGGER=yes
We instead expected the following output from pdtool match execution:
# pdbtool match -P "/usr/sbin/cron" -M "(root) CMD (mymatch)"
MESSAGE=(root) CMD (mymatch)
PROGRAM=/usr/sbin/cron
.classifier.class=system
.classifier.rule_id=cron-1
usracct.username=root
details=mymatch
HOST=
MESSAGE=[mymatch] was found in a cron log message. Rule number [cron-1]
PROGRAM=/usr/sbin/cron
PID=
TRIGGER=yes
Macro expansion was not executed in action values but it was in action definition... What are we missing?
Thank you in advance for your help
Denis Gasparin
---
Edistar SRL