3 Replies Latest reply on Dec 20, 2016 3:35 AM by sssyyy

    correlation rule



      lets say i have 2 separated  logs with shared field

      this is how the mailGW send the syslog for every mail.

      for example :


      log 1 -


      mail id - 123asd

      subject - this is test


      log 2 -


      mail id - 123asd

      direction - external


      how can i combine Between these logs ?


      i want to create rule like that :


      5 different mail id with the same subject and direction


      is it possible ?



        • 1. Re: correlation rule

          This should work for you but I haven't tested it.


          • 2. Re: correlation rule



            it's not work.


            please note that the subject field is in other event , it's a bit tricky


            i will try to explain better -


            for every mail,  the mail gateway send a few syslog

            1 with mail id and subject

            1 with mail id and direction

            and so on... for every mail the mail id is the same


            i create ASP rule for every syslog

            now i have 6 different ASP rules for this data source


            so the problem is when i create rule with direction field the event doesn't contain the subject field and i don't know how to connect between them..



            i hope its understood....

            • 3. Re: correlation rule

              yeah, it will be difficult if at all do-able, as you are trying to match a particular field. Can you try group by Mail ID?