[syslog-ng] Referencing earlier message

Tue Nov 8 15:27:04 CET 2011

When using correlating message with syslog-ng 3.3.1 i get only the value in
the last matching rule but not the earlier.
Here is my patterndb.xml

<?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='3' pub_date='2011-11-07'>
>    <ruleset name='ecelerity' id='12345678'>
>       <pattern>ecelerity</pattern>
>       <rules>
>          <rule provider='me' id='123475980' class='system'
>         context-scope='program' context-id='${MSG.UID}'
> context-timeout='10'>
>         <patterns>
>
> <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:|@ORCPTS|@ANYSTRING:LOG.VAL:@
> </pattern>
>         </patterns>

        <examples>
>              <example>
>             <test_message
> program="ecelerity">1319550976|c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833|ORCPTS|s.andriamampianina@
> ***.**</test_message>
>             <test_values>
>               <test_value name="LOG.UTC">1319550976</test_value>
>               <test_value
> name="LOG.UID">c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833</test_value>
>
>               <test_value name="LOG.VAL">s.andriamampianina@
> ***.**</test_value>
>             </test_values>
>              </example>
>           </examples>
>
     </rule>
>      <rule provider='me' id='123475981' class='system'
>             context-id='${MSG.UID}'>
>         <patterns>
>
> <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:|@SENDER|@ANYSTRING:LOG.VAL:@
> </pattern>
>         </patterns>
>         <actions>
>            <action>
>               <message>
>              <values>
>                 <value name="MESSAGE">From ${LOG.VAL}@1 to ${LOG.VAL}@2.
> </value>
>                         <value name="TRIGGER">yes</value>
>                      </values>
>                   </message>
>                </action>
>             </actions>
>          </rule>
>       </rules>
>    </ruleset>
> </patterndb>
>

 And the message i get is "from *****@**.** to ."
Where did I get wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111108/d8e0e53c/attachment.htm 