<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hi Mark,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
VARARGS is used to pass unknown amount of <b>options</b> to the underlying driver through the block.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
For example:</div>
<div style="color: rgb(212, 212, 212); background-color: rgb(30, 30, 30); font-family: "Droid Sans Mono", monospace, monospace, "Droid Sans Fallback"; font-weight: normal; font-size: 14px; line-height: 19px;">
<span><span>block destination ewmm(ip(</span><span style="color: rgb(206, 145, 120);">'127.0.0.1'</span><span>) transport(tcp) port(514) ...) {</span></span>
<div><span> network(</span><span style="color: rgb(206, 145, 120);">"`ip`"</span><span> transport(`transport`) port(`port`)</span></div>
<div><span> template(</span><span style="color: rgb(206, 145, 120);">"$(format-ewmm)"</span><span>)</span></div>
<div><span> frac-digits(3)</span></div>
<div><span> `__VARARGS__`</span></div>
<div><span> )</span><span style="color: rgb(106, 153, 85);">;</span></div>
<span><span>}</span><span style="color: rgb(106, 153, 85);">;</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
"..." and "__VARARGS__" must be used together.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
In the example above, any option given to the ewmm destination other than ip(), transport() and port(), is passed to the underlying network() destination.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
For your use case, I think a single option would suffice:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<div style="color: rgb(212, 212, 212); background-color: rgb(30, 30, 30); font-family: "Droid Sans Mono", monospace, monospace, "Droid Sans Fallback"; font-weight: normal; font-size: 14px; line-height: 19px;">
<span><span>block destination default_file(</span></span>
<div><span> basepath(</span><span style="color: rgb(206, 145, 120);">'/var/log/remote/backup'</span><span>)</span></div>
<div><span> location(</span><span style="color: rgb(206, 145, 120);">""</span><span>)</span></div>
<div><span> app(</span><span style="color: rgb(206, 145, 120);">""</span><span>)</span></div>
<div><span> name(</span><span style="color: rgb(206, 145, 120);">""</span><span>)</span></div>
<div><span> file_path_args(</span><span style="color: rgb(206, 145, 120);">""</span><span>)</span>) {</div>
<div><span><br>
</span></div>
<div><span> file(</span></div>
<div><span> </span><span style="color: rgb(206, 145, 120);">"`basepath`/`location`/`app`/${HOST}/${HOST}_`app``file_path_args`.log"</span></div>
<div><span> persist-name(`name`)</span></div>
<div><span> create_dirs(yes)</span></div>
<div><span> flags(</span><span style="color: rgb(206, 145, 120);">"threaded"</span><span>,
</span><span style="color: rgb(206, 145, 120);">"no-multi-line"</span><span>)</span></div>
<div><span> )</span><span style="color: rgb(106, 153, 85);">;</span></div>
<div><span>}</span><span style="color: rgb(106, 153, 85);">;</span></div>
<br>
<div><span>destination d_default {</span></div>
<div><span> default_file(</span></div>
<div><span> basepath(`BASEPATH`)</span></div>
<div><span> location(</span><span style="color: rgb(206, 145, 120);">"$location"</span><span>)</span></div>
<div><span> app(</span><span style="color: rgb(206, 145, 120);">"$app"</span><span>)</span></div>
<div><span> name(</span><span style="color: rgb(206, 145, 120);">'d_default_udp'</span><span>)</span></div>
<div><span> file_path_args(</span><span style="color: rgb(206, 145, 120);">"${session}${some_other_arg}"</span><span>)</span></div>
<div><span> )</span><span style="color: rgb(106, 153, 85);">;</span></div>
<span><span>}</span><span style="color: rgb(106, 153, 85);">;</span></span></div>
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
With the file_path_args() option you can set any number of optionally available macros in the order you like. If a macro is not available, it will resolve to empty string.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Does this take care of your needs?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Cheers,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Attila</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov><br>
<b>Sent:</b> Tuesday, May 18, 2021 8:00 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] using VARARGS correctly</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Syslog-ng 3.19<br>
<br>
block destination d_default(basepath('/var/log/remote/backup') location("") app("") name("")) {<br>
file("`basepath`/`location`/`app`/${HOST}/${HOST}_`app``__VARARGS__`.log"<br>
persist-name(`name`) create_dirs(yes)<br>
flags("threaded", "no-multi-line"));<br>
};<br>
<br>
However, when I call it like so:<br>
<br>
d_default(basepath(`BASEPATH`) location("$location") app("$app") name('d_default_udp') "$session");<br>
<br>
I get a syntax error when checking with --syntax-only<br>
<br>
Error parsing block reference, syntax error, unexpected LL_STRING, expecting ')' in /etc/syslog-ng/conf.d/splunk.conf:<br>
23 categorize_loc();<br>
24 categorize_app();<br>
25 };<br>
26 };<br>
27 destination {<br>
28----> d_default(basepath(`BASEPATH`) location("$location") app("$app") name('d_default_udp') "$session");<br>
28----> ^^^^^^^^^^<br>
<br>
<br>
From looking at the documentation, it looks like it's a valid way to use it. $session here is just a number from 0-9 that is set from rewriting a user defined macro from the message's sessionid field. It's only going to exist for a certain kind of message.<br>
<br>
Thanks,<br>
-Mark<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sPCS%2BJNfaqQRl0lODAcJx9vKtYk9W2nCvLhh73%2BS3Rg%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sPCS%2BJNfaqQRl0lODAcJx9vKtYk9W2nCvLhh73%2BS3Rg%3D&reserved=0</a><br>
Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZntsaJqT%2Bh5EaUoQf8gb%2BF%2BdXy6LUIgkuLQzxKANitY%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZntsaJqT%2Bh5EaUoQf8gb%2BF%2BdXy6LUIgkuLQzxKANitY%3D&reserved=0</a><br>
FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EvHK7TAM%2B8QsfR8pZBCYNiJ%2BolHT7b2wo3UMwPoorGM%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EvHK7TAM%2B8QsfR8pZBCYNiJ%2BolHT7b2wo3UMwPoorGM%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>