[syslog-ng] problem tagging with patterndb (syslog-ng 3.4.1)
Evan Rempel
erempel at uvic.ca
Tue Aug 6 15:47:05 CEST 2013
Pdbtool output does not show tags until 3.4.2
Sent from Samsung Mobile
-------- Original message --------
From: mailing lists <listas.correo at yahoo.es>
Date: 08-06-2013 1:01 AM (GMT-08:00)
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] problem tagging with patterndb (syslog-ng 3.4.1)
Hello all,
I am having a problem understanding patterndb and tags, for the following rule the log line is matched but tags are not settled in pdbtool output. What am i missing here?
<rule id="dad57bd5-6f9e-47b8-9e9f-401e3eb34334" provider="user" class="system">
<patterns>
<pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern>
<pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @@QSTRING:postfix.statusmsg:()@</pattern>
<pattern>@ESTRING:postfix.qid::@ to=@QSTRING:postfix.to:<>@, orig_to=@QSTRING:postfix.orig_to:<>@, relay=@ESTRING:postfix.relay.hostname:[@@ESTRING:postfix.relay.path:]@:24, delay=@ESTRING:postfix.delay:,@ delays=@ESTRING:postfix.delays.1:/@@ESTRING:postfix.delays.2:/@@ESTRING:postfix.delays.3:/@@ESTRING:postfix.delays.4:,@ dsn=@ESTRING:postfix.dsn:,@ status=@ESTRING:postfix.status: @(@ESTRING:postfix.status.code1: @@ESTRING:postfix.status.code2: @@EMAIL:postfix.status.recipient:<> @@ESTRING:postfix.status.qid: @Saved)</pattern>
</patterns>
<tags>
<tag>postfix</tag>
<tag>lmtp</tag>
</tags>
</rule>
$ pdbtool match -P 'postfix' -p postfix.pdb -D -c -f mail.log
Pattern matching part:
@ESTRING:postfix.qid=B5BBAADB@ to=@QSTRING:postfix.to=user002 at example.com@, orig_to=@QSTRING:postfix.orig_to=noreply at example.com@, relay=@ESTRING:postfix.relay.hostname=lmtp.example.com@@ESTRING:postfix.relay.path=10.180.242.142@:24, delay=@ESTRING:postfix.delay=0.07@ delays=@ESTRING:postfix.delays.1=0.04@@ESTRING:postfix.delays.2=0@@ESTRING:postfix.delays.3=0@@ESTRING:postfix.delays.4=0.03@ dsn=@ESTRING:postfix.dsn=2.0.0@ status=@ESTRING:postfix.status=sent@(@ESTRING:postfix.status.code1=250@@ESTRING:postfix.status.code2=2.0.0@@EMAIL:postfix.status.recipient=noreply at example.com@@ESTRING:postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg at Saved)
Matching part:
B5BBAADB: to=<user002 at example.com>, orig_to=<noreply at example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply at example.com> XP52K7Bp+1G/FAAAtCZERg Saved)
Values:
HOST=mailserver
MESSAGE=B5BBAADB: to=<user002 at example.com>, orig_to=<noreply at example.com>, relay=lmtp.example.com[10.180.242.142]:24, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <noreply at example.com> XP52K7Bp+1G/FAAAtCZERg Saved)
PROGRAM=postfix/lmtp
PID=29484
LEGACY_MSGHDR=postfix/lmtp[29484]:
.classifier.class=system
.classifier.rule_id=dad57bd5-6f9e-47b8-9e9f-401e3eb34334
postfix.qid=B5BBAADB
postfix.to=user002 at example.com
postfix.orig_to=noreply at example.com
postfix.relay.hostname=lmtp.example.com
postfix.relay.path=10.180.242.142
postfix.delay=0.07
postfix.delays.1=0.04
postfix.delays.2=0
postfix.delays.3=0
postfix.delays.4=0.03
postfix.dsn=2.0.0
postfix.status=sent
postfix.status.code1=250
postfix.status.code2=2.0.0
postfix.status.recipient=noreply at example.com
postfix.status.qid=XP52K7Bp+1G/FAAAtCZERg
TAGS=
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130806/5bbba4db/attachment.htm
More information about the syslog-ng
mailing list