[syslog-ng] Referencing earlier message

Wed Nov 9 21:31:13 CET 2011

On Tue, 2011-11-08 at 17:27 +0300, Hery Fanomezantsoa wrote:
> When using correlating message with syslog-ng 3.3.1 i get only the
> value in the last matching rule but not the earlier.
> Here is my patterndb.xml
> 
> 
>         <?xml version='1.0' encoding='UTF-8'?>
>         <patterndb version='3' pub_date='2011-11-07'>
>            <ruleset name='ecelerity' id='12345678'>
>               <pattern>ecelerity</pattern>
>               <rules>
>                  <rule provider='me' id='123475980' class='system'
>                 context-scope='program' context-id='${MSG.UID}'
>         context-timeout='10'>
>                 <patterns>
>                    <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:|
>         @ORCPTS|@ANYSTRING:LOG.VAL:@</pattern>
>                 </patterns>
>                 <examples>
>                      <example>
>                     <test_message program="ecelerity">1319550976|
>         c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833|ORCPTS|
>         s.andriamampianina@***.**</test_message>
>                     <test_values>
>                       <test_value
>         name="LOG.UTC">1319550976</test_value>
>                       <test_value
>         name="LOG.UID">c0a80a3c-b7f6c6d000002063-1f-4ea6c0004833</test_value>              
>                       <test_value
>         name="LOG.VAL">s.andriamampianina@***.**</test_value>
>                     </test_values>
>                      </example>
>                   </examples>              
>         
>              </rule>
>              <rule provider='me' id='123475981' class='system'
>                     context-id='${MSG.UID}'>
>                 <patterns>
>                    <pattern>@ESTRING:LOG.UTC:|@@ESTRING:LOG.UID:|
>         @SENDER|@ANYSTRING:LOG.VAL:@</pattern>
>                 </patterns>
>                 <actions>
>                    <action>
>                       <message>
>                      <values>
>                         <value name="MESSAGE">From ${LOG.VAL}@1 to
>         ${LOG.VAL}@2.</value>
>                                 <value name="TRIGGER">yes</value>
>                              </values>
>                           </message>
>                        </action>
>                     </actions>
>                  </rule>    
>               </rules>
>            </ruleset>
>         </patterndb>
> 
>  And the message i get is "from *****@**.** to ."
> Where did I get wrong?

You seem to be using ${MSG.UID} as the context-id, however you are
defining ${LOG.UID} only. Is it possible it's a typo?

-- 
Bazsi