<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">A while back I was asking about the
json parser and how to get the TAGS from the json object into the<br>
TAGS of the syslog-ng internal structure so that I could make
filters on them.<br>
<br>
Now I am trying again, following Balazs suggestion of using
set-tag(), however, I find that the rewrite<br>
<br>
rewrite r_set_sometag {<br>
set-tag("sometag" condition(filter(f_should_set_sometag)) );<br>
};<br>
<br>
is not supported.<br>
<br>
I thought that I would be able to use the filter in the log
statement such as<br>
<br>
log {<br>
source(s_some);<br>
log {<br>
filter(f_should_set_sometag);<br>
rewrite(r_set_sometag);<br>
destination(d_dest);<br>
};<br>
};<br>
<br>
This works for one tag, but I have multiple tags that I want to
set which gives be a factorial(N)<br>
branching sequence which is not feasible.<br>
<br>
Using junction/channels ends up producing multiple output lines
when multiple TAGS are set :-(<br>
<br>
Can anyone think of a way to set an arbitrary set of TAGS on a
syslog message given an<br>
arbitrary set of "set-tag-flags" presented in other macro values?<br>
<br>
Should the set-tag rewrite support conditionals?<br>
<br>
Thanks in advance ... again.<br>
<br>
Evan.<br>
<br>
On 03/28/2013 09:56 PM, Balazs Scheidler wrote:<br>
</div>
<blockquote cite="mid:1364532980.10238.11.camel@Nokia-N900-51-1"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="generator" content="Osso Notes">
<title></title>
<p>
<br>
Hi,
<br>
<br>
the simplest way right now is the set-tag() rewrite operation,
that together with condition() might do the trick.
<br>
<br>
I know there should be an easier way, but I'm afraid there
isn't.
<br>
<br>
I'm thinking about how this should work in the long term, but
right now I don't have a clear idea.
<br>
<br>
----- Original message -----
<br>
> I have a situation where syslog-ng processes a syslog line,
users
<br>
> paserdb and does lots of work and finally sends the
complete object via
<br>
> json to an external application. This application does some
thinking and
<br>
> based on some other data sources needs to send the log
message back into
<br>
> syslog-ng with a different set of TAGS so that it gets
routed through
<br>
> syslog-ng to a different destination program.
<br>
> <br>
> The problem I am having is that syslog-ng does not use the
TAGS in the
<br>
> incoming json object. The TAGS get replaced with the TAGS
on the
<br>
> "source" of the syslog-ng that reads the json object, and
augmented with
<br>
> any patterndb processing.
<br>
> <br>
> Can anyone think of a way to get some arbitrary set of TAGS
(possibly in
<br>
> a different custom macro) placed into the TAGS macro so
that all of the
<br>
> filters on tags can be used.
<br>
> <br>
> For example, I could make a patterndb for each individual
tag value, and
<br>
> invoke each patterndb on the MyTags value. If there is a
match then tag
<br>
> the message with the TAG. I would need to know all of the
TAGS in
<br>
> advance and would probably not perform all that well, but
it would work.
<br>
</p>
</blockquote>
<br>
</body>
</html>