<div dir="ltr">it was implemented in 2010, in syslog-ng 3.2 by this patch:<br><br>Author: Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> 2010-07-29 09:59:53<br>Committer: Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> 2010-07-29 09:59:53<br>Parent: aeab9e22207cb7700a0e0cfb359e2f1adc221301 (logrewrite: cleaned up naming of subst specific methods)<br>Branches: master and many more (547)<br>Follows: v3.2alpha1<br>Precedes: v3.2beta1<br><br> rewrite: implement condition() option for rewrite expressions<br> <br> This patch implements condition() option for rewrite expression, which<br> makes it possible to only apply a given reply rule if the<br> message matches the filter.<br> <br> For example:<br> <br> set("something new" condition(facility(auth)));<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Tue, Jan 12, 2016 at 5:54 PM, Mark Shetka <span dir="ltr"><<a href="mailto:mshetka@d.umn.edu" target="_blank">mshetka@d.umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks. Do you know when set condition became available in rewrite?<br></div><div class="gmail_extra"><span class=""><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div>--</div>Mark Shetka<br>Infrastructure Analyst - Network Team<br>Information Technology Systems & Services<br>University of Minnesota - Duluth<br>(218) 726-7682</div></div></div></div></div>
<br></span><div><div class="h5"><div class="gmail_quote">On Tue, Jan 12, 2016 at 10:15 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:<br><br></div>parser { <br></div> channel {<br></div> parser { db-parser(); };<br></div> rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); };<br> rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); };<br> };<br><div><div><div>};<br><br></div><div>We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction. <br><br></div><div>My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.<span><font color="#888888"><br></font></span></div></div></div></div><div class="gmail_extra"><span><font color="#888888"><br clear="all"><div><div><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br></font></span><div class="gmail_quote"><div><div>On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi Mark,<br>
<br>
You can use template functions in patterndb [1].<br>
The idea is to add a value to the matched message, which contains the result<br>
of a template function. You could for instance use the "if" function:<br>
<br>
<values><br>
<value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value><br>
</values><br>
<br>
If you need anything more complex, and if you are using the 3.7.x series,<br>
you could even use a python script using the "python" template function.<br>
<br>
Cheers<br>
<br>
[1] <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions" rel="noreferrer" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions</a><br>
<br>
<br></div></div><span>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></span></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>