<div dir="ltr">Hello Kaleem!<br><br>I'm afraid modifying the PRIORITY field of the log message is still not supported as it is a hard-macro in syslog-ng and thus it is *read-only*:<br><a href="https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html">https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html</a><br><br><br><div>Basically, you would like to control the feature on config block level (e.g. in a rewrite rule or in a filter, etc.) which can be freely included in any log path.</div><div><br></div><div>As a solution, you can use the same conditional rewrite rule, set a new name-value pair with the desired priority and use the template always in the destination.<br></div><div>There is no problem if you don't use the rewrite rule in a log path while the destination is trying to expand the `MY_PRI` field as it would simply evaluate to an empty string.</div><div><div><br></div><div>Config example:<br><blockquote style="margin:0 0 0 40px;border:none;padding:0px">rewrite r_set_priority {<br> set("<185> " value(MY_PRI) condition(filter(f_syslogd1);) );<br>};<br>destination d_stdout {<br> file("/dev/stdout"<br> template("${MY_PRI}${ISODATE} ${HOST} ${MSGHDR}${MSG}\n")<br> );<br>};<br>log {<br> ....<br> rewrite(r_set_priority);<br> destination(d_stdout);<br>};</blockquote><br><br>I was thinking about other ways, junctions or multiple log paths with the same destinations(except one destination would have the template), </div><div>but those would increase the config complexity or just ugly.</div><div><br></div></div><div><br></div><div>Gabor</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 7, 2018 at 12:48 PM, Kaleemulla Sharief (kasharie) <span dir="ltr"><<a href="mailto:kasharie@cisco.com" target="_blank">kasharie@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_2698349482728986479WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is there support to change the syslog *<b>priority</b><b>*</b> using rewrite? While I read it was not supported earlier but was planned for syslog-ng 3.2 (apologies if this is a wrong source), can someone help me with an example if it was
added in any of the releases later ? Below did not work for me with syslog-ng 3.5.6 to change debug syslog to alert.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">filter f_syslogd1 { match("%OS-PCE-7-CSPF_<wbr>FALLBACK") and priority(debug); };<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">rewrite r_rewrite_set{set("1", value("PRIORITY") condition(filter(f_syslogd1)))<wbr>;}; #Neither 1 without quotes<u></u><u></u></span></p>
<pre>log { source(s_syslog_514); <span style="color:black">rewrite (r_rewrite_set);</span> destination(d_syslog); };<span style="color:black"><u></u><u></u></span></pre>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am able to achieve this using the template hack something like below (changing to local7.alert=185) but the problem is while I can use the template inside destination definition, rewrite can be used under log section so that I can re-use
same destination with different filters with or without rewrite, below will get applied to all syslogs to destination d_syslog which is not my requirement. How can I combine filters with template on same destination if rewrite is not supported. Appreciate
any suggestions.<u></u><u></u></p>
<p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">template t_asm {<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> template("<185> $DATE $HOST $MSGHDR$MSG\n");<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> template_escape(no);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">};<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">destination d_syslog<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""> {udp("server-001" port(514) spoof_source(yes) template(t_asm));<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">};<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal">~ Kaleem<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>