I must be missing something simple... I'm trying to setup a means to create a context of unknown log entries where the first message creates the context, it gets added to the context, and then any other messages that are processed are also added. When the context expires (I have it set REALLY small for testing purposes), the contents are then emailed out. The code below works but only with the first message that arrives. Once the context expires it won't get recreated by the first message to come in after expiration. What am I missing here?
type=single desc=Tag unknown events ptype=regexp pattern=^UNDUP:(\w+\s+\d+\s+\d+:\d+:\d+) (.+) action=event 0 UNKNOWN:$1 $2 type=single desc=$0 ptype=regexp context=UNKNOWN_REPORT pattern=^UNKNOWN action=add UNKNOWN_REPORT type=single desc=$0 continue=takenext ptype=regexp pattern=^UNKNOWN action=create UNKNOWN_REPORT 30 report UNKNOWN_REPORT /usr/bin/mutt -s "SEC: Unknown log entries report" [EMAIL PROTECTED] type=single desc=$0 ptype=regexp pattern=^UNKNOWN action=add UNKNOWN_REPORT Thanks! ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
