https://bugzilla.balabit.com/show_bug.cgi?id=232 Summary: FEATURE: patterndb to support multiple correlation contexts Product: syslog-ng Version: 3.4.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: erempel@uvic.ca Type of the Report: --- Estimated Hours: 0.0 I have come across a correlation requirement that the patterndb can not handle. The general idea is that I need to correlate three lines, where one line has two pieces of correlation information, each of which correlates to on of the other lines. Example: sm-mta[28270]: r3LLxvol028270: from=<someone@uvic.ca>, size=9506, class=0, nrcpts=1, msgid=<110bc310e87975113303806e139628b7.squirrel@wm3.uvic.ca>, proto=ESMTP, daemon=MTA, relay=[123.69.98.48] sm-mta[10644]: r3LLxvol028270: to=<someone@uvic.ca>, delay=00:00:00, pri=91535, stat=Rejected as outbound quota has been exceeded. squirrelmail: Message sent via webmail: by jdc (uvic.ca) at 142.104.193.193 on 04/21/2013 15:01:27: Message-ID: 110bc310e87975113303806e139628b7.squirrel@wm3.uvic.ca The first line has the ESMTPID (r3LLxvol028270) and the mail msgid (110bc310e87975113303806e139628b7.squirrel@wm3.uvic.ca) The second line only has the ESMTPID (r3LLxvol028270) The third line only has the mail msgid (110bc310e87975113303806e139628b7.squirrel@wm3.uvic.ca) So in this case, the only way to get the authenticated user that had the e-mail "Rejected as outbound quota has been exceeded" is to correlate the third line to the second line by using the two correlation components from the first line. I would recommend that the patterdb be changed to permit multiple correlation contexts <rule id="1" context-timeout="2" context-scope="program" provider="UVic"> <contexts> <context>$HOST:$esmtpid</context> <context>$HOST:$msgid</context> </contexts> <patterns> <pattern>@ESTRING:esmtpid::@ from=@QSTRING:from:<>@, size=@NUMBER@, class=@NUMBER@, nrcpts=@NUMBER@, msgid=@QSTRING:msgid:<>@</pattern> </patterns> <actions> <action trigger="timeout"> <message inherit-properties='TRUE'> <value name="MESSAGE">My message here</value> </message> </action> </actions> </rule> <rule id="2" context-timeout="2" context-scope="program" provider="UVic"> <contexts> <context>$HOST:$esmtpid</context> </contexts> <patterns> <pattern>@ESTRING:esmtpid::@ to=@QSTRING:to:<>@, delay=@ESTRING:delay",@ pri=@NUMBER@, stat=Rejected as outbound quota has been exceeded.</pattern> </patterns> <actions> <action trigger="timeout"> <message inherit-properties='TRUE'> <value name="MESSAGE">My message here</value> </message> </action> </actions> </rule> <rule id="3" context-timeout="2" context-scope="program" provider="UVic"> <contexts> <context>$HOST:$msgid</context> </contexts> <patterns> <pattern>Message sent via webmail: by @ESTRING:login: @@QSTRING:domain:()@ at @IPv4@ on @ESTRING:date:: @Message-ID: @ANYSTRING:msgid@</pattern> </patterns> <actions> <action trigger="timeout"> <message inherit-properties='TRUE'> <value name="MESSAGE">My message here</value> </message> </action> </actions> </rule> Obviously the action could do something a little more useful, but I think the point is clear that all three of these would be correlated together. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.