<div dir="ltr"><div><div><div>that might be the case for the port mapping, however I think it would be nice to have map() as a rewrite operation, e.g. one that maps specific values to others. And also, improving the conditional evaluation somehow would be great.<br><br></div>Right now we have to do stuff like:<br><br></div>channel {<br></div>    log { filter(blabla); conditional processing here; flags(final); };<br>    log { filter(blabla2); conditional2 processing here; flags(final); };<br>    log { filter(blabla3); conditional3 processing here; flags(final); };<br><br><div>};<br><br></div><div>It would be _much_ nicer to have something like this:<br><br>channel {<br>    if (blabla) { conditional processing here;  };<br>    if (blabla2) { conditional2 processing here;  };<br>    if (blabla3) { conditional3 processing here;  };<br><br>};<br><br></div><div>We could perhaps add else as well.<br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Tue, Jan 12, 2016 at 5:25 PM, Tibor Benke <span dir="ltr">&lt;<a href="mailto:ihrwein@gmail.com" target="_blank">ihrwein@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">AFAIK there is a getent() function in syslog-ng-incubator for the port -&gt; protocol translation.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-01-12 17:15 GMT+01:00 Scheidler, Balázs <span dir="ltr">&lt;<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:<br><br></div>parser { <br></div>    channel {<br></div>       parser { db-parser(); };<br></div>       rewrite { set(&quot;telnet&quot; value(&quot;LOCALPORT&quot;) condition(&quot;${LOCALPORT}&quot; == &quot;23&quot;))); };<br>       rewrite { set(&quot;ssh&quot; value(&quot;LOCALPORT&quot;) condition(&quot;${LOCALPORT}&quot; == &quot;22&quot;))); };<br>    };<br><div><div><div>};<br><br></div><div>We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction. <br><br></div><div>My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.<br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote"><div><div>On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <span dir="ltr">&lt;<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>&gt;</span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi Mark,<br>
<br>
You can use template functions in patterndb [1].<br>
The idea is to add a value to the matched message, which contains the result<br>
of a template function. You could for instance use the &quot;if&quot; function:<br>
<br>
    &lt;values&gt;<br>
      &lt;value name=&quot;svc&quot;&gt;$(if (&quot;${port}&quot; == &quot;22&quot;) &quot;ssh&quot; &quot;telnet&quot;)&lt;/value&gt;<br>
    &lt;/values&gt;<br>
<br>
If you need anything more complex, and if you are using the 3.7.x series,<br>
you could even use a python script using the &quot;python&quot; template function.<br>
<br>
Cheers<br>
<br>
[1] <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions" rel="noreferrer" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions</a><br>
<br>
<br></div></div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>