[syslog-ng] [Bug 232] New: FEATURE: patterndb to support multiple correlation contexts
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Mon Apr 22 01:03:52 CEST 2013
https://bugzilla.balabit.com/show_bug.cgi?id=232
Summary: FEATURE: patterndb to support multiple correlation
contexts
Product: syslog-ng
Version: 3.4.x
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: unspecified
Component: syslog-ng
AssignedTo: bazsi at balabit.hu
ReportedBy: erempel at uvic.ca
Type of the Report: ---
Estimated Hours: 0.0
I have come across a correlation requirement that the patterndb can not handle.
The general idea is that I need to correlate three lines, where one line has two pieces
of correlation information, each of which correlates to on of the other lines.
Example:
sm-mta[28270]: r3LLxvol028270: from=<someone at uvic.ca>, size=9506, class=0, nrcpts=1, msgid=<110bc310e87975113303806e139628b7.squirrel at wm3.uvic.ca>,
proto=ESMTP, daemon=MTA, relay=[123.69.98.48]
sm-mta[10644]: r3LLxvol028270: to=<someone at uvic.ca>, delay=00:00:00, pri=91535, stat=Rejected as outbound quota has been exceeded.
squirrelmail: Message sent via webmail: by jdc (uvic.ca) at 142.104.193.193 on 04/21/2013 15:01:27: Message-ID:
110bc310e87975113303806e139628b7.squirrel at wm3.uvic.ca
The first line has the ESMTPID (r3LLxvol028270) and the mail msgid (110bc310e87975113303806e139628b7.squirrel at wm3.uvic.ca)
The second line only has the ESMTPID (r3LLxvol028270)
The third line only has the mail msgid (110bc310e87975113303806e139628b7.squirrel at wm3.uvic.ca)
So in this case, the only way to get the authenticated user that had the e-mail "Rejected as outbound quota has been exceeded" is to correlate the
third line to the second line by using the two correlation components from the first line.
I would recommend that the patterdb be changed to permit multiple correlation contexts
<rule id="1" context-timeout="2" context-scope="program" provider="UVic">
<contexts>
<context>$HOST:$esmtpid</context>
<context>$HOST:$msgid</context>
</contexts>
<patterns>
<pattern>@ESTRING:esmtpid::@ from=@QSTRING:from:<>@, size=@NUMBER@, class=@NUMBER@, nrcpts=@NUMBER@, msgid=@QSTRING:msgid:<>@</pattern>
</patterns>
<actions>
<action trigger="timeout">
<message inherit-properties='TRUE'>
<value name="MESSAGE">My message here</value>
</message>
</action>
</actions>
</rule>
<rule id="2" context-timeout="2" context-scope="program" provider="UVic">
<contexts>
<context>$HOST:$esmtpid</context>
</contexts>
<patterns>
<pattern>@ESTRING:esmtpid::@ to=@QSTRING:to:<>@, delay=@ESTRING:delay",@ pri=@NUMBER@, stat=Rejected as outbound quota has been exceeded.</pattern>
</patterns>
<actions>
<action trigger="timeout">
<message inherit-properties='TRUE'>
<value name="MESSAGE">My message here</value>
</message>
</action>
</actions>
</rule>
<rule id="3" context-timeout="2" context-scope="program" provider="UVic">
<contexts>
<context>$HOST:$msgid</context>
</contexts>
<patterns>
<pattern>Message sent via webmail: by @ESTRING:login: @@QSTRING:domain:()@ at @IPv4@ on @ESTRING:date:: @Message-ID: @ANYSTRING:msgid@</pattern>
</patterns>
<actions>
<action trigger="timeout">
<message inherit-properties='TRUE'>
<value name="MESSAGE">My message here</value>
</message>
</action>
</actions>
</rule>
Obviously the action could do something a little more useful, but I think the point is clear that all three of these would be
correlated together.
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list