[syslog-ng] Help with pattern db correlation
Martin Holste
mcholste at gmail.com
Fri Dec 17 21:28:58 CET 2010
If I change it to
<value name="MESSAGE">IronPort message complete: icid: $icid at 2, mid:
$mid</value>
then the output shows "IronPort message complete: icid: @2, mid:
285561684" no matter what value I use for the integer. If it doesn't
exist then it should be null.
This does bring up the problem of when you don't know how many lines
back your variable exists. Can you use $(grep) in that situation?
On Fri, Dec 17, 2010 at 1:35 PM, Fekete Róbert <frobert at balabit.hu> wrote:
> Hi,
>
> it seems that you get mid from the second message (which triggers the action), and the icid value from the first one. To refer to a value of an earlier message, you have to suffix the referred value with @how-much-earlier-the-value-was-parsed, that is @1 for you, like
> <value name="MESSAGE">IronPort message complete: icid: $icid at 1,
> mid: $mid</value>
>
> Admittedly, an example would be useful in the docs (http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/referencing-previous-messages.html).
>
> HTH,
>
> Robert
>
> On Friday, December 17, 2010 18:35 CET, Martin Holste <mcholste at gmail.com> wrote:
>
>> I'm trying to build a correlation message for Ironport similar to the
>> Postfix example that was referred to in the discussions. Here's what
>> I have so far, but it's not quite working:
>>
>> <ruleset>
>> <rules>
>> <rule class="10" id="10" context-id="ironport-mid"
>> context-timeout="10" context-scope="program">
>> <patterns>
>> <pattern>Info: Start MID @NUMBER:mid:@ ICID @NUMBER:icid:@</pattern>
>> </patterns>
>> <values>
>> <value name="icid">$icid</value>
>> </values>
>> <examples>
>> <example>
>> <test_message program="ironport_mail_logs">Info: Start MID
>> 144753300 ICID 696117306</test_message>
>> </example>
>> </examples>
>> </rule>
>> <rule class="10" id="10" context-id="ironport-mid"
>> context-timeout="10" context-scope="program">
>> <patterns>
>> <pattern>Info: Message finished MID @NUMBER:mid:@ done</pattern>
>> </patterns>
>> <actions>
>> <action>
>> <message>
>> <values>
>> <value name="MESSAGE">IronPort message complete: icid: $icid,
>> mid: $mid</value>
>> </values>
>> </message>
>> </action>
>> </actions>
>> <examples>
>> <example>
>> <test_message program="ironport_mail_logs">Info: Message
>> finished MID 144753300 done</test_message>
>> </example>
>> </examples>
>> </rule>
>> </rules>
>> </ruleset>
>>
>> I'm getting the triggered action, but the icid is null while the mid
>> is filled in. What am I missing?
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list