[syslog-ng] Help with pattern db correlation

Fekete Róbert frobert at balabit.hu
Fri Dec 17 20:35:48 CET 2010 

Hi, 

it seems that you get mid from the second message (which triggers the action), and the icid value from the first one. To refer to a value of an earlier message, you have to suffix the referred value with @how-much-earlier-the-value-was-parsed, that is @1 for you, like
<value name="MESSAGE">IronPort message complete: icid: $icid at 1,
 mid: $mid</value>

Admittedly, an example would be useful in the docs (http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/referencing-previous-messages.html).

HTH, 

Robert

On Friday, December 17, 2010 18:35 CET, Martin Holste <mcholste at gmail.com> wrote: 
 
> I'm trying to build a correlation message for Ironport similar to the
> Postfix example that was referred to in the discussions.  Here's what
> I have so far, but it's not quite working:
> 
> <ruleset>
> 		<rules>
> 			<rule class="10" id="10" context-id="ironport-mid"
> context-timeout="10" context-scope="program">
> 				<patterns>
> 					<pattern>Info: Start MID @NUMBER:mid:@ ICID @NUMBER:icid:@</pattern>
> 				</patterns>
> 				<values>
> 					<value name="icid">$icid</value>
> 				</values>
> 				<examples>
> 					<example>
> 						<test_message program="ironport_mail_logs">Info: Start MID
> 144753300 ICID 696117306</test_message>
> 					</example>
> 				</examples>
> 			</rule>
> 			<rule class="10" id="10" context-id="ironport-mid"
> context-timeout="10" context-scope="program">
> 				<patterns>
> 					<pattern>Info: Message finished MID @NUMBER:mid:@ done</pattern>
> 				</patterns>
> 				<actions>
> 					<action>
> 						<message>
> 							<values>
> 								<value name="MESSAGE">IronPort message complete: icid: $icid,
> mid: $mid</value>
> 							</values>
> 						</message>
> 					</action>
> 				</actions>
> 				<examples>
> 					<example>
> 						<test_message program="ironport_mail_logs">Info: Message
> finished MID 144753300 done</test_message>
> 					</example>
> 				</examples>
> 			</rule>
> 		</rules>
> 	</ruleset>
> 
> I'm getting the triggered action, but the icid is null while the mid
> is filled in.  What am I missing?
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list