[syslog-ng] using correlation to filter out some messages ?
Balazs Scheidler
bazsi at balabit.hu
Mon Jan 24 17:35:57 CET 2011
Sorry, I didn't have enough time to understand the problem, but I'll try
harder in the near future, promise :)
On Sun, 2011-01-16 at 11:54 -0600, Martin Holste wrote:
> Ok, got it. So here's the patterndb correlation challenge I'm working
> on: Cisco's Ironport is an email/spam filter that produces verbose
> logging. The logs have two ID's of interest, the ICID which goes with
> the connection and the MID which goes with each individual email.
> Usually, a single email will produce between 15 and 30 log messages.
> I'm looking to use correlation to produce one "meta" message which has
> the most important details from all messages so that when searching
> logs, you don't have to do follow-up searches to find all of the info
> you're looking for. Here's what I've got so far:
>
> <ruleset>
> <rules>
> <rule class="10" id="10" context-id="ironport-icid"
> context-timeout="10" context-scope="program">
> <patterns>
> <pattern>Info: New SMTP ICID @NUMBER:icid:@ interface
> @ESTRING:interface_name: @(@IPv4:interface_ip:@) address
> @IPv4:sender_ip:@ reverse dns host @ESTRING:sender_dns: @verified
> yes</pattern>
> </patterns>
> <examples>
>
--
Bazsi
More information about the syslog-ng
mailing list