[syslog-ng] Message correlation, everything needs an "@"? And a grep problem.

Balazs Scheidler bazsi at balabit.hu
Thu Mar 3 17:44:56 CET 2011


On Tue, 2011-03-01 at 21:05 +0100, Valentijn Sessink wrote:
> Op 01-03-11 20:50, Balazs Scheidler schreef:
> [...]
> > I'd say that not that many people are probably using this feature right
> > now, so I'd go for reverting that patch.
> 
> Or update the documentation :)
> 
> My feeling is that the "@1" adds extra complexity now - see the
> context-id example with "${queueid}@1".
> 
> Given how new this correlating thing is, and the (relative) lack of
> example correlating patterns there is - no, I don't think many people
> are using it... yet ;-)

I now realised what my original intention with this was. So I've now
changed my mind and I think it should stay as it is and the
documentation should be updated instead.

The original intention with adding the currently generated message into
the correllation state as @0 (thereby shifting away the whole context)
is to make it possible to collect values into using $(grep) and then
reuse those name-value pairs in another value.

For example, consider a postfix correllation state, which contains a
recipient address in one of its messages, but we don't know which one
exactly (or which order the messages arrive).

In this case we could do something like:

<value name="sender">$(grep ('${.classifier.rule_id}' == 'ruleid-matching-sender-address') ${sender})</value>
<value name="recipient">$(grep ('${.classifier.rule_id}' == 'ruleid-matching-recipient-address') ${recipient})</value>

And then use this in our message template (the same action, 
just another name-value pair assignment)

<value name='MESSAGE'>hey, a message was sent from ${sender} to ${recipient}</value>

This is good news, since I don't have to break the currently released behaviour. :)
I'm happy.

Note to self: I should have written the intentions into the commit 
message at the minimum.

-- 
Bazsi



More information about the syslog-ng mailing list