problem tagging with patterndb (syslog-ng 3.4.1)
Hello all, I am having a problem understanding patterndb and tags, for the following rule the log line is matched but tags are not settled in pdbtool output. What am i missing here? <rule id="dad57bd5-6f9e-47b8-9e9f-401e3eb34334" provider="user" class="system"> <patterns> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @(@ESTRING:postfix.status.code1: @@ESTRING:postfix.status.code2: @@EMAIL:postfix.status.recipient:<> @@ESTRING:postfix.status.qid: @Saved)</pattern> </patterns> <tags> <tag>postfix</tag> <tag>lmtp</tag> </tags> </rule> $ pdbtool match -P 'postfix' -p postfix.pdb -D -c -f mail.log Pattern matching part: @ESTRING:postfix.qid=B5BBAADB@ to=@QSTRING:postfix.to=user002@example.com@, orig_to=@QSTRING:postfix.orig_to=noreply@example.com@, relay=@ESTRING:postfix.relay.hostname=lmtp.example.com@@ESTRING:postfix.relay.path=10.180.242.142@:24, delay=@ESTRING:postfix.delay=0.07@ delays=@ESTRING:postfix.delays.1=0.04@@ESTRING:postfix.delays.2=0@@ESTRING:postfix.delays.3=0@@ESTRING:postfix.delays.4=0.03@ dsn=@ESTRING:postfix.dsn=2.0.0@ status=@ESTRING:postfix.status=sent@(@ESTRING:postfix.status.code1=250@@ESTRING:postfix.status.code2=2.0.0@@EMAIL:postfix.status.recipient=noreply@example.com@@ESTRING:postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg@Saved) Matching part: B5BBAADB: to=<user002@example.com>, orig_to=<noreply@example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply@example.com> XP52K7Bp+1G/FAAAtCZERg Saved) Values: HOST=mailserver MESSAGE=B5BBAADB: to=<user002@example.com>, orig_to=<noreply@example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply@example.com> XP52K7Bp+1G/FAAAtCZERg Saved) PROGRAM=postfix/lmtp PID=29484 LEGACY_MSGHDR=postfix/lmtp[29484]: .classifier.class=system .classifier.rule_id=dad57bd5-6f9e-47b8-9e9f-401e3eb34334 postfix.qid=B5BBAADB postfix.to=user002@example.com postfix.orig_to=noreply@example.com postfix.relay.hostname=lmtp.example.com postfix.relay.path=10.180.242.142 postfix.delay=0.07 postfix.delays.1=0.04 postfix.delays.2=0 postfix.delays.3=0 postfix.delays.4=0.03 postfix.dsn=2.0.0 postfix.status=sent postfix.status.code1=250 postfix.status.code2=2.0.0 postfix.status.recipient=noreply@example.com postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg TAGS=
Pdbtool output does not show tags until 3.4.2 Sent from Samsung Mobile -------- Original message -------- From: mailing lists <listas.correo@yahoo.es> Date: 08-06-2013 1:01 AM (GMT-08:00) To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] problem tagging with patterndb (syslog-ng 3.4.1) Hello all, I am having a problem understanding patterndb and tags, for the following rule the log line is matched but tags are not settled in pdbtool output. What am i missing here? <rule id="dad57bd5-6f9e-47b8-9e9f-401e3eb34334" provider="user" class="system"> <patterns> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern> <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @(@ESTRING:postfix.status.code1: @@ESTRING:postfix.status.code2: @@EMAIL:postfix.status.recipient:<> @@ESTRING:postfix.status.qid: @Saved)</pattern> </patterns> <tags> <tag>postfix</tag> <tag>lmtp</tag> </tags> </rule> $ pdbtool match -P 'postfix' -p postfix.pdb -D -c -f mail.log Pattern matching part: @ESTRING:postfix.qid=B5BBAADB@ to=@QSTRING:postfix.to=user002@example.com@, orig_to=@QSTRING:postfix.orig_to=noreply@example.com@, relay=@ESTRING:postfix.relay.hostname=lmtp.example.com@@ESTRING:postfix.relay.path=10.180.242.142@:24, delay=@ESTRING:postfix.delay=0.07@ delays=@ESTRING:postfix.delays.1=0.04@@ESTRING:postfix.delays.2=0@@ESTRING:postfix.delays.3=0@@ESTRING:postfix.delays.4=0.03@ dsn=@ESTRING:postfix.dsn=2.0.0@ status=@ESTRING:postfix.status=sent@(@ESTRING:postfix.status.code1=250@@ESTRING:postfix.status.code2=2.0.0@@EMAIL:postfix.status.recipient=noreply@example.com@@ESTRING:postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg@Saved) Matching part: B5BBAADB: to=<user002@example.com>, orig_to=<noreply@example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply@example.com> XP52K7Bp+1G/FAAAtCZERg Saved) Values: HOST=mailserver MESSAGE=B5BBAADB: to=<user002@example.com>, orig_to=<noreply@example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply@example.com> XP52K7Bp+1G/FAAAtCZERg Saved) PROGRAM=postfix/lmtp PID=29484 LEGACY_MSGHDR=postfix/lmtp[29484]: .classifier.class=system .classifier.rule_id=dad57bd5-6f9e-47b8-9e9f-401e3eb34334 postfix.qid=B5BBAADB postfix.to=user002@example.com postfix.orig_to=noreply@example.com postfix.relay.hostname=lmtp.example.com postfix.relay.path=10.180.242.142 postfix.delay=0.07 postfix.delays.1=0.04 postfix.delays.2=0 postfix.delays.3=0 postfix.delays.4=0.03 postfix.dsn=2.0.0 postfix.status=sent postfix.status.code1=250 postfix.status.code2=2.0.0 postfix.status.recipient=noreply@example.com postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg TAGS= ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Evan Rempel
-
mailing lists