[syslog-ng] Help with pattern db correlation
Martin Holste
mcholste at gmail.com
Fri Dec 17 18:35:15 CET 2010
I'm trying to build a correlation message for Ironport similar to the
Postfix example that was referred to in the discussions. Here's what
I have so far, but it's not quite working:
<ruleset>
<rules>
<rule class="10" id="10" context-id="ironport-mid"
context-timeout="10" context-scope="program">
<patterns>
<pattern>Info: Start MID @NUMBER:mid:@ ICID @NUMBER:icid:@</pattern>
</patterns>
<values>
<value name="icid">$icid</value>
</values>
<examples>
<example>
<test_message program="ironport_mail_logs">Info: Start MID
144753300 ICID 696117306</test_message>
</example>
</examples>
</rule>
<rule class="10" id="10" context-id="ironport-mid"
context-timeout="10" context-scope="program">
<patterns>
<pattern>Info: Message finished MID @NUMBER:mid:@ done</pattern>
</patterns>
<actions>
<action>
<message>
<values>
<value name="MESSAGE">IronPort message complete: icid: $icid,
mid: $mid</value>
</values>
</message>
</action>
</actions>
<examples>
<example>
<test_message program="ironport_mail_logs">Info: Message
finished MID 144753300 done</test_message>
</example>
</examples>
</rule>
</rules>
</ruleset>
I'm getting the triggered action, but the icid is null while the mid
is filled in. What am I missing?
More information about the syslog-ng
mailing list