I asked this another way the other day, but maybe this puts it a
better way.
Is there a way to extract data from a context as part of an action?
I have rules that parse an syslog-incapable LDAP log that consists of
multi-line records. I'm trying to write a syslog event for successful
and failed logins.
The record is identified by a conn=####### in each line (matching #'s
are the same connection and thus the same record). I need to extract
IP address, user id, and success/failure result, each of which is on a
separate line.
I started off by creating a context called LDAP_CONN_##### (with ####
taken from the conn=##### information), so one context per active
connection.
Next, as IP and UID are detected, I add those to the context like this:
action=add LDAP_CONN_$1 IP=$2
...
action=add LDAP_CONN_$2 UID=$2
When I detect the result, I note it as success or failure and I can
log that:
action=logonly
but it just logs "LDAP success (conn=####)" without any info from the
context.
My question is, how can I pull the data out of the context and
construct a line with all of it? In other words, I'd like to write
something like:
action=logonly "authentication failed for LDAP_CONN_$1['UID'] from
LDAP_CONN_$1['IP'] (conn=$1)"
or, alternatively, put that in the desc= line, and use a simple
action=logonly
Am I even going about this the right way?
--
Don Faulkner
[email protected]
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
