On Sun, 2009-02-15 at 14:40 -0500, Joe Shaw wrote:
Hi,
On Sun, Feb 15, 2009 at 4:31 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
I'll see what I can do about this. What about the following idea: * make it possible to mark sources with tags * create a filter that matches tags
Then you could do something like:
source s_udp { udp(); tags(net); }; source s_tcp { tcp(); tags(net); };
filter f_net_messages { tags(net); };
log { flags(catch-all); filter(f_net_messages); destination(...); };
I'd have to work on the syntax a bit more, but I hope the general idea is visible.
Ah, interesting. Yes, I think this would work just fine.
I gave some more thought to that, and I think I'd assign these options to the log message, not the source group. This would make it possible to filter based on this value and also to change the tag assignments using a rewrite rule. I'd also assign the initial tags to the log source driver, not the source group. e.g. it would be something like this instead: source s_udp { udp(tags(net)); }; source s_tcp { udp(tags(net)); }; filter f_net_messages { tags(net); }; log { flags(catch-all); filter(f_net_messages); destination(...); }; On the internal side, I think I could make this at least as fast as comparing facility/priority values by using a dynamically allocated bitmask for the implementation, though that would limit the maximum number of different tags to 32. Hmm.. the same could be used for db-parser() classification. This idea seems to be more and more appealing to me. -- Bazsi