How to assign specific value in a pattern
Hi all, I need to assign a specific value to only one pattern inside a ruleset with multiple patterns. For example, I have defined the following patterns for one ruleset: <ruleset name="kernel" id='1002'> <pattern>kernel</pattern> <rules> <rule provider="By me" class='1002' id='1002'> <patterns> <pattern>pattern1</pattern> <pattern>pattern2</pattern> <pattern>pattern3</pattern> </patterns> </rule> </rules> </ruleset> The I need to do the following: <ruleset name="kernel" id='1002'> <pattern>kernel</pattern> <rules> <rule provider="By me" class='1002' id='1002'> <patterns> <pattern>pattern1</pattern> <pattern>pattern2</pattern> <values> <value name="mytestvalue">Downloaded file</value> </values> <pattern>pattern3</pattern> </patterns> </rule> </rules> </ruleset> As you can see I need to assign "Downloaded file" value to "mytestvalue" but only for pattern2 and not the others ... At this time, value "mytestvalue" is assigned to all patterns ... Is it possible to do this??
Hi, You need to make two separate rules.
On Wed, Mar 26, 2014 at 9:03 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
You need to make two separate rules.
Uhmm .. Something like this?? <ruleset name="kernel" id='1002'> <pattern>kernel</pattern> <rules> <rule provider="By me" class='1002' id='1002'> <patterns> <pattern>pattern1</pattern> <pattern>pattern3</pattern> </patterns> </rule> <rule provider="By me" class='1002' id='1002'> <patterns> <pattern>pattern2</pattern> <values> <value name="mytestvalue">Downloaded file</value> </values> </patterns> </rule> </rules> </ruleset> Can i use same class and id for this new rule??
Hi, On Wed, Mar 26, 2014 at 09:12:19AM +0000, C. L. Martinez wrote:
Uhmm .. Something like this??
no, you need to put the <values> tag just below the <rule> tag, as described in the documentation [1]
Can i use same class and id for this new rule??
you can use the same "class", but the "id" needs to be unique [1] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guide...
On Thu, Mar 27, 2014 at 7:09 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Wed, Mar 26, 2014 at 09:12:19AM +0000, C. L. Martinez wrote:
Uhmm .. Something like this??
no, you need to put the <values> tag just below the <rule> tag, as described in the documentation [1]
Can i use same class and id for this new rule??
you can use the same "class", but the "id" needs to be unique
[1] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guide...
Oops .. Thanks Fabien. Solved.
participants (2)
-
C. L. Martinez
-
Fabien Wernli