On Wednesday 06 March 2019, you wrote:
Could you share your use case, where you wanted to "replace" log blocks?
My use case is the reducing /var/log/messages when new software installed. This can be implemented through the filter override but not so visual. For example a base config: == ... filter f_mesgs { level(info) and not facility(mail,authpriv); }; destination mesg { file("/var/log/syslog/messages"); }; log { source(sys); filter(f_mesgs); destination(mesg); }; ... @include "/etc/syslog-ng/conf.d/*.conf" == Then I install Cyrus-IMAP for example. == conf.d/cyrus-imap.conf == ... filter f_cyrus { match("cyrus/"); }; filter f_not_cyrus { not match("cyrus/"); }; ... log { source(sys); filter(f_cyrus); destination(cyrus); }; == But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition. I can redifine f_mesgs: filter f_mesgs { level(info) and not facility(mail,authpriv) and not match("cyrus/"); }; But the log override is more succinctly: log { source(sys); filter(f_mesgs); filter (f_not_cyrus); destination(mesg); }; In this example, the "f_not_cyrus" filter is simple but they can be more complex. The "f_mesg" filter can be difficult to read in the result. -- Regards, Sergey