<div dir="ltr">Hi!<br><br>Sorry, but the above config has a problem:<div>if the rewrite rule is not appled then the original PRIORITY is not going to be in the log message.</div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(I should'nt had test it with file destination :))</span></div><div>You have to save it first:</div><div><br><div>rewrite r_rew {</div><div>+ set("<${PRI}>" value(MY_PRI) );</div><div> set("<185>" value(MY_PRI) condition(filter(f_matches);) );<br></div></div><div><br></div><div>Regards,</div><div>Gabor</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 7, 2018 at 4:31 PM, Nagy, Gábor <span dir="ltr"><<a href="mailto:gabor.nagy@balabit.com" target="_blank">gabor.nagy@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Kaleem!<br><br>I'm afraid modifying the PRIORITY field of the log message is still not supported as it is a hard-macro in syslog-ng and thus it is *read-only*:<br><a href="https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html" target="_blank">https://syslog-ng.com/<wbr>documents/html/syslog-ng-ose-<wbr>latest-guides/en/syslog-ng-<wbr>ose-guide-admin/html/macros-<wbr>hard-vs-soft.html</a><br><br><br><div>Basically, you would like to control the feature on config block level (e.g. in a rewrite rule or in a filter, etc.) which can be freely included in any log path.</div><div><br></div><div>As a solution, you can use the same conditional rewrite rule, set a new name-value pair with the desired priority and use the template always in the destination.<br></div><div>There is no problem if you don't use the rewrite rule in a log path while the destination is trying to expand the `MY_PRI` field as it would simply evaluate to an empty string.</div><div><div><br></div><div>Config example:<br><blockquote style="margin:0 0 0 40px;border:none;padding:0px">rewrite r_set_priority {<br> set("<185> " value(MY_PRI) condition(filter(f_syslogd1);) );<br>};<br>destination d_stdout {<br> file("/dev/stdout"<br> template("${MY_PRI}${ISODATE} ${HOST} ${MSGHDR}${MSG}\n")<br> );<br>};<br>log {<br> ....<br> rewrite(r_set_priority);<br> destination(d_stdout);<br>};</blockquote><br><br>I was thinking about other ways, junctions or multiple log paths with the same destinations(except one destination would have the template), </div><div>but those would increase the config complexity or just ugly.</div><div><br></div></div><div><br></div><div>Gabor</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Mar 7, 2018 at 12:48 PM, Kaleemulla Sharief (kasharie) <span dir="ltr"><<a href="mailto:kasharie@cisco.com" target="_blank">kasharie@cisco.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_8932014371361118291m_2698349482728986479WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is there support to change the syslog *<b>priority</b><b>*</b> using rewrite? While I read it was not supported earlier but was planned for syslog-ng 3.2 (apologies if this is a wrong source), can someone help me with an example if it was
added in any of the releases later ? Below did not work for me with syslog-ng 3.5.6 to change debug syslog to alert.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">filter f_syslogd1 { match("%OS-PCE-7-CSPF_FALLBACK<wbr>") and priority(debug); };<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">rewrite r_rewrite_set{set("1", value("PRIORITY") condition(filter(f_syslogd1)))<wbr>;}; #Neither 1 without quotes<u></u><u></u></span></p>
<pre>log { source(s_syslog_514); <span style="color:black">rewrite (r_rewrite_set);</span> destination(d_syslog); };<span style="color:black"><u></u><u></u></span></pre>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am able to achieve this using the template hack something like below (changing to local7.alert=185) but the problem is while I can use the template inside destination definition, rewrite can be used under log section so that I can re-use
same destination with different filters with or without rewrite, below will get applied to all syslogs to destination d_syslog which is not my requirement. How can I combine filters with template on same destination if rewrite is not supported. Appreciate
any suggestions.<u></u><u></u></p>
<p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">template t_asm {<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> template("<185> $DATE $HOST $MSGHDR$MSG\n");<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> template_escape(no);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">destination d_syslog<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> {udp("server-001" port(514) spoof_source(yes) template(t_asm));<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">};<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal">~ Kaleem<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br></div></div>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>