<div dir="ltr">Hi, <div><br></div><div>you mean something like this? <a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/example-dropping-messages.html">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/example-dropping-messages.html</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 7, 2016 at 12:07 AM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi folks,</div><div><br></div><div>Basically, in my setup, I received a jSON and the all usual (default) syslog packets in my server. But, I have a simple filter "f_blacklist_network_by_<wbr>clientip" based in a jSON field. everything works well, the problem is because when my filter "f_blacklist_network_by_<wbr>clientip" return OK, the junction() goes to the next statement processing the d_default_handler() destination.<br></div><div><br></div><div>My doubt is: how to stop the processing when my filter f_blacklist_network_by_<wbr>clientip() returns OK?</div><div><br></div><div><b><SNIP></b></div><div><div>log {</div><div>    source(s_internet);</div><div><br></div><div>    junction {</div><div>         channel {</div><div>            filter(f_wb_access_log);</div><div>            parser(p_msg2json);</div><div>            filter(f_blacklist_network_by_<wbr>clientip);</div><div>            destination(d_wb_access_log);</div><div>            flags(final);</div><div>        };</div><div><br></div><div>        # Default destination</div><div>        channel {</div><div><b>            # DOUBT: how to don't processing if the f_blacklist_network_by_<wbr>clientip return OK?</b></div><div>            destination(d_default_handler)<wbr>;</div><div>        };</div><div>    };</div><div>};</div><div><br></div><div>filter f_wb_access_log {  program("wb_access"); };</div><div>parser p_msg2json { json-parser( marker("") prefix("j.")); };</div><div><br></div><div>filter f_blacklist_network_by_<wbr>clientip {</div><div>    not match("^127\.0\.", value("j.clientip"));</div><div>    not match("^172\.16\.", value("j.clientip"));</div><div>    not match("^172\.26\.", value("j.clientip"));</div><div>    not match("^172\.31\.", value("j.clientip"));</div><div><b>    # if match, stop the processing and don't jump to "channel { destination(d_default_handler)<wbr>; };</b></div><div>};</div><div><br></div><div>destination d_wb_access_log {</div><div>    file("/var/log/syslog-ng/wb/${<wbr>j.webapp_domain:-invalid_gw_<wbr>access}_access.log"</div><div>         create_dirs(yes) template("${MSG}\n")</div><div>    );</div><div>};</div><div><br></div><div>destination d_default_handler {</div><div>    file("/var/log/syslog-ng/<wbr>servers/${HOST}/${FACILITY:-<wbr>invalid_facility}.log"</div><div>         create_dirs(yes) </div><div>    );</div><div>};</div></div><div><b><br></b></div><div><b></SNIP></b><br></div>
</div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>