cancel
Showing results for 
Search instead for 
Did you mean: 
izik
Level 7

correlation rule

hi

lets say i have 2 separated  logs with shared field

this is how the mailGW send the syslog for every mail.

for example :

log 1 -

mail id - 123asd

subject - this is test

log 2 -

mail id - 123asd

direction - external

how can i combine Between these logs ?

i want to create rule like that :

5 different mail id with the same subject and direction

is it possible ?

0 Kudos
3 Replies
abanaru
Level 11

Re: correlation rule

This should work for you but I haven't tested it.

0 Kudos
izik
Level 7

Re: correlation rule

hi

it's not work.

please note that the subject field is in other event , it's a bit tricky

i will try to explain better -

for every mail,  the mail gateway send a few syslog

1 with mail id and subject

1 with mail id and direction

and so on... for every mail the mail id is the same

i create ASP rule for every syslog

now i have 6 different ASP rules for this data source

so the problem is when i create rule with direction field the event doesn't contain the subject field and i don't know how to connect between them..

i hope its understood....

0 Kudos
sssyyy
Level 12

Re: correlation rule

yeah, it will be difficult if at all do-able, as you are trying to match a particular field. Can you try group by Mail ID?

0 Kudos