
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

This should work:<br>

log {</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

  source(s_network);<br>

  filter { filter(f_1) or filter(f_2) };<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

  destination(d_syslog);<br>

};</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Regards,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">

Gabor</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov><br>

<b>Sent:</b> Wednesday, March 23, 2022 22:36<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> Re: [syslog-ng] [EXTERNAL] Re: Value is dropped or unset in resolved destination template</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif}

a:link, span.x_MsoHyperlink

        {color:blue;

        text-decoration:underline}

a:visited, span.x_MsoHyperlinkFollowed

        {color:purple;

        text-decoration:underline}

p.x_msonormal0, li.x_msonormal0, div.x_msonormal0

        {margin-right:0in;

        margin-left:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif}

span.x_EmailStyle18

        {font-family:"Calibri",sans-serif;

        color:windowtext}

span.x_SpellE

        {}

.x_MsoChpDefault

        {font-family:"Calibri",sans-serif}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

-->

</style>

<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal"><span style="">Can I OR filters when they are in the form filter(<span class="x_SpellE">filter_name</span>); such as

</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style="">filter(<span class="x_SpellE">f_foo</span>); or filter(<span class="x_SpellE">f_bar</span>);</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style="">or does it have to be the long form:</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style="">filter { message='foo' or message='bar' }</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style="">The problem I'm having is that my filters are very large and I need to compare four of them for each message on the log path and so I don't want to write them inline inside of the log path.</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style="">Thanks,</span></p>

<p class="x_MsoNormal"><span style="">-Mark</span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<p class="x_MsoNormal"><span style=""> </span></p>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="">From:</span></b><span style=""> syslog-ng <syslog-ng-bounces@lists.balabit.hu>

<b>On Behalf Of </b>Nagy Gábor<br>

<b>Sent:</b> Wednesday, March 23, 2022 10:03<br>

<b>To:</b> wernli@in2p3.fr; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> [EXTERNAL] Re: [syslog-ng] Value is dropped or unset in resolved destination template</span></p>

</div>

<p class="x_MsoNormal"> </p>

<div>

<div>

<div>

<p class="x_MsoNormal">Hi Mark,<br>

<br>

Fabien is right, you should have a default value.<br>

You are using the rewrite rules that set $location inside an if statement.<br>

Maybe what happens is that in some cases a log doesn't match which leads to an unset $location.</p>

</div>

<p class="x_MsoNormal">Don't you have directories with $location's value too?</p>

</div>

<div>

<p class="x_MsoNormal">So you have both:<br>

("`BASEPATH`//$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"</p>

</div>

<div>

<p class="x_MsoNormal">("`BASEPATH`/$location/$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

<div>

<p class="x_MsoNormal">Or $location is always empty on the destination side?</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

<p class="x_MsoNormal">Gabor</p>

<div>

<div>

<p class="x_MsoNormal"> </p>

</div>

</div>

</div>

<p class="x_MsoNormal"> </p>

<div>

<div>

<p class="x_MsoNormal">Fabien Wernli <<a href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>> ezt írta (időpont: 2022. márc. 23., Sze, 15:04):</p>

</div>

<blockquote style="border:none; border-left:solid #CCCCCC 1.0pt; padding:0in 0in 0in 6.0pt; margin-left:4.8pt; margin-right:0in">

<p class="x_MsoNormal" style="margin-bottom:12.0pt">Hi Mark,<br>

<br>

It's really hard to tell what's happening without seeing your full<br>

configuration. Remember messages can go through multiple logpaths, some of<br>

which the variables are probably empty in.<br>

<br>

That being said, if I were you I'd use a default value for your macros in any<br>

case, much safer e.g.:<br>

<br>

    destination d_default {<br>

            file("`BASEPATH`/${location:-hidden}/$(lowercase ${HOST})/${app:-unknown}/$(lowercase ${HOST})_${app:-unknown}.log"<br>

            create_dirs(yes)<br>

            flags("threaded", "no-multi-line"));<br>

    };<br>

<br>

______________________________________________________________________________<br>

Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=n5y0f6MjhGi%2FM1La56oY%2FoRyOcAqb5eM3TQg0Vs3ly4%3D&reserved=0" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="k7rKCBwfKTKpIEjc+HeopHYypXJPi8PhruFk+8aQzwvSTB0BmoezZRPfBIXC6JJag5ytZ7mv7NKlq1wO2Inx3w1d313r9BG5PMDSSmF6izwL/F6QgMiix+y4m3JxH1F2b1Qa4g8WW47qlNek/ngokqEM64w65jDvClHvu3yWjNw=" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t8voTU8qjP0RrdGPOQqDOjLkMAtxfkhcv%2BY6AYBN0hI%3D&reserved=0" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="gIW/5wtq24kgQCwg3uz3uu4TDK49Y6rBGYPzIz+xa3Nvl1FvvAaNZMftZYGclAPSoL8r2lRhfX6KTVAeWSexDBXStZlmRmI4dXtUMXfjCRjGYBDhCGnDkej8PicZnsWEdcU346F8ChphcB24co7/HuV0HjzCn/lIXmiIf2nKz3w=" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=crU0bjlG3N%2Fsy2pJ0buOVz8LkTTsaaQ4HXUbIdqxIrc%3D&reserved=0" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="LnFaK5KIIyFDRj6ElGpWG0ZMJMPBKGDySiYiFq2EWoqSNc+66KkocDfN+9q9VyP0T2sl31FEqgoXlW7ljCxd6Cr0tZfAoTVPcAutvWj1itdsYZruMmnbX1U3xLsmam1wAcF3Axeg8BZIlXSEyEWyu+x05DFkSujMTK5BCqcvLNc=" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a></p>

</blockquote>

</div>

</div>

</div>

</div>

</body>

</html>