[syslog-ng] problem tagging with patterndb (syslog-ng 3.4.1)

mailing lists listas.correo at yahoo.es
Tue Aug 6 10:01:26 CEST 2013


Hello all,

I am having a problem understanding patterndb and tags, for the following rule the log line is matched but tags are not settled in pdbtool output. What am i missing here?


      <rule id="dad57bd5-6f9e-47b8-9e9f-401e3eb34334" provider="user" class="system">
        <patterns>
          <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&lt;&gt;@, orig_to=@QSTRING:postfix.orig_to:&lt;&gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern>
          <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&lt;&gt;@, orig_to=@QSTRING:postfix.orig_to:&lt;&gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern>
          <pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:&lt;&gt;@, orig_to=@QSTRING:postfix.orig_to:&lt;&gt;@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @(@ESTRING:postfix.status.code1: @@ESTRING:postfix.status.code2: @@EMAIL:postfix.status.recipient:&lt;&gt; @@ESTRING:postfix.status.qid: @Saved)</pattern>
        </patterns>
        <tags>
          <tag>postfix</tag>
          <tag>lmtp</tag>
        </tags>
      </rule>


$ pdbtool match -P 'postfix' -p postfix.pdb -D -c -f mail.log

Pattern matching part:
@ESTRING:postfix.qid=B5BBAADB@ to=@QSTRING:postfix.to=user002 at example.com@, orig_to=@QSTRING:postfix.orig_to=noreply at example.com@, relay=@ESTRING:postfix.relay.hostname=lmtp.example.com@@ESTRING:postfix.relay.path=10.180.242.142@:24, delay=@ESTRING:postfix.delay=0.07@ delays=@ESTRING:postfix.delays.1=0.04@@ESTRING:postfix.delays.2=0@@ESTRING:postfix.delays.3=0@@ESTRING:postfix.delays.4=0.03@ dsn=@ESTRING:postfix.dsn=2.0.0@ status=@ESTRING:postfix.status=sent@(@ESTRING:postfix.status.code1=250@@ESTRING:postfix.status.code2=2.0.0@@EMAIL:postfix.status.recipient=noreply at example.com@@ESTRING:postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg at Saved)
Matching part:
B5BBAADB: to=<user002 at example.com>, orig_to=<noreply at example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply at example.com> XP52K7Bp+1G/FAAAtCZERg Saved)
Values:
HOST=mailserver
MESSAGE=B5BBAADB: to=<user002 at example.com>, orig_to=<noreply at example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply at example.com> XP52K7Bp+1G/FAAAtCZERg Saved)
PROGRAM=postfix/lmtp
PID=29484
LEGACY_MSGHDR=postfix/lmtp[29484]: 
.classifier.class=system
.classifier.rule_id=dad57bd5-6f9e-47b8-9e9f-401e3eb34334
postfix.qid=B5BBAADB
postfix.to=user002 at example.com
postfix.orig_to=noreply at example.com
postfix.relay.hostname=lmtp.example.com
postfix.relay.path=10.180.242.142
postfix.delay=0.07
postfix.delays.1=0.04
postfix.delays.2=0
postfix.delays.3=0
postfix.delays.4=0.03
postfix.dsn=2.0.0
postfix.status=sent
postfix.status.code1=250
postfix.status.code2=2.0.0
postfix.status.recipient=noreply at example.com
postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg
TAGS=


More information about the syslog-ng mailing list