<div dir="ltr">Hi, <div><br></div><div>Currently the selector must be a string or a macro, and its value must appear in the first field of the csv file. So you must either list every possible IP address in the csv file, or somehow add the netmask/subnet as a field to the message, and use that as the selector. </div><div>For example, if you do not have too many separate vlans/subnets, you could try using conditional rewrites (<a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/conditional-rewrite.html">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/conditional-rewrite.html</a>) to replace the filter and set a custom field. Something like: </div><div><br></div><div><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pln">rewrite r_rewrite_set</span><span class="gmail-pun">{</span><span class="gmail-kwd">set</span><span class="gmail-pun">(</span><span class="gmail-str">"43"</span><span class="gmail-pun">,</span><span class="gmail-pln"> value</span><span class="gmail-pun">(</span><span class="gmail-str">"MY_VLANID"</span><span class="gmail-pun">)</span><span class="gmail-pln"> condition</span><span class="gmail-pun">(</span><span style="font-family:arial,sans-serif;font-size:12.8px;white-space:normal">netmask(</span><a href="http://192.168.1.0/24" rel="noreferrer" target="_blank" style="font-family:arial,sans-serif;font-size:12.8px;white-space:normal">192.168.1.0/24</a><span style="font-family:arial,sans-serif;font-size:12.8px;white-space:normal">)</span><span class="gmail-pun" style="font-family:arial,sans-serif">));};</span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun" style="font-family:arial,sans-serif">...</span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun" style="font-family:arial,sans-serif"><span style="font-size:12.8px;white-space:normal">add-contextual-data(</span><br style="font-size:12.8px;white-space:normal"><span style="font-size:12.8px;white-space:normal"> selector($</span>MY_VLANID<span style="font-size:12.8px;white-space:normal">)</span><span style="font-size:12.8px;white-space:normal"><br></span><span style="font-size:12.8px;white-space:normal"> database(“/opt/syslog-ng/etc/</span><wbr style="font-size:12.8px;white-space:normal"><span style="font-size:12.8px;white-space:normal">VLAN_Descriptions.csv")</span><br style="font-size:12.8px;white-space:normal"><span style="font-size:12.8px;white-space:normal"> default-selector("unknown-</span><wbr style="font-size:12.8px;white-space:normal"><span style="font-size:12.8px;white-space:normal">hostname")</span><br style="font-size:12.8px;white-space:normal"><span style="font-size:12.8px;white-space:normal"> );</span><br></span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun" style="font-family:arial,sans-serif">...</span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><font face="arial, sans-serif">And the first field of the CSV must be the VLANID value.</font></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><font face="arial, sans-serif"><br></font></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><font face="arial, sans-serif">HTH, </font></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span style="font-family:arial,sans-serif">Robert</span><br></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun" style="font-family:arial,sans-serif"><br></span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun" style="font-family:arial,sans-serif"><br></span></pre><pre class="gmail-prettyprint gmail-synopsis gmail-prettyprinted"><span class="gmail-pun"><br></span></pre></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 1:01 AM, Scot Needy <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Tried adding this way and seems to be looking for the tag rather than adding.<br>
Logging stopped for this filter.<br>
<br>
filter f_192_168_1_0 {<br>
netmask(<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>);<br>
tags(“VMware_ESX");<br>
};<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
> On Oct 18, 2016, at 6:12 PM, Scot Needy <<a href="mailto:scotrn@gmail.com">scotrn@gmail.com</a>> wrote:<br>
><br>
><br>
> Could I leverage this type of CSV to add VLAN ID and VLAN description tags if I already have<br>
><br>
> filter f_192_168_1_0 { netmask(<a href="http://192.168.1.0/24);" rel="noreferrer" target="_blank">192.168.1.0/24);</a>};<br>
><br>
><br>
> VLAN_Descriptions.csv<br>
> VLANID, VLAN Description, subnet/24<br>
> 43, Database_#14141, <a href="http://192.168.1.1/24" rel="noreferrer" target="_blank">192.168.1.1/24</a><br>
><br>
> filter f_192_168_1_0 {<br>
> netmask(<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>);<br>
> add-contextual-data(<br>
> selector($IP is in f_192_168_1_0 or something specific?????/)<br>
> database(“/opt/syslog-ng/etc/<wbr>VLAN_Descriptions.csv")<br>
> default-selector("unknown-<wbr>hostname")<br>
> );<br>
><br>
> };<br>
><br>
><br>
><br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>