[syslog-ng] Variables in PatternDB - what am I doing wrong?

Daniel Ankers md1clv at md1clv.com
Fri Nov 4 11:49:46 CET 2011 

Hi,
I've got the following as part of my ruleset:

<!-- Match and suppress %TCP-6-BADAUTH messages -->
      <rule id='def42cfb-4364-4cfd-bbf1-cdf4f0bc3c88' class='lowpri'
context-id="badauth-${badauth.errorsrc}" context-timeout='600'
context-scope='host'>
        <patterns>
          <pattern>%TCP-6-BADAUTH: No MD5 digest from
@IPvANY:badauth.errorsrc:@(@NUMBER::@) to
@IPvANY:badauth.errordst:@(@NUMBER::@) (RST)</pattern>
        </patterns>
        <examples>
            <example>
                <test_message program='patternize'>%TCP-6-BADAUTH: No
MD5 digest from 195.66.XXX.XX(179) to 195.66.YYYY.YY(56561)
(RST)</test_message>
            </example>
            <example>
                <test_message program='patternize'>%TCP-6-BADAUTH: No
MD5 digest from 2001:7F8:X::abcd:1(179) to 2001:7F8:X::1234:1(21296)
(RST)</test_message>
            </example>
        </examples>
        <actions>
          <action trigger='match'>
            <message>
              <values>
                <value name='MESSAGE'>$(if ("${badauth.errorsrc}@1" eq
"${badauth.errorsrc}@2") "Duplicate" "First") BGP Authentication Error
to neighbour ${badauth.errorsrc}@1 - last one was
${badauth.errorsrc}@2</value>
              </values>
            </message>
          </action>
        </actions>
      </rule>
<!-- End %TCP-6-BADAUTH -->

When I feed example messages in from a file, I expect to see something
like the following:
Nov  4 10:40:54 syslog First BGP Authentication Error to neighbour
2001:7F8:X::abcd:1 - last one was
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
2001:7F8:X::abcd:1 - last one was 2001:7F8:X::abcd:1
Nov  4 10:40:54 syslog First BGP Authentication Error to neighbour
195.66.Y.Z - last one was
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z

Instead I see:
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
2001:7F8:X::abcd:1 - last one was
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
2001:7F8:X::abcd:1 - last one was 2001:7F8:4::abcd:1
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z
Nov  4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
195.66.Y.Z - last one was 195.66.Y.Z

What am I getting wrong with the "if" function?


The background to this is that the first of these messages from any
host is useful information - however they are sent every 10 seconds
and I'm trying to suppress all but the first message for each
neighbour.  I've tried several different ways of doing this including
rate-limiting on the <action> but none of them have worked the way I
expected.

Thanks,
Dan

Daniel Ankers

More information about the syslog-ng mailing list