Hello,

You could use *rewrite* rule to add nv-pair to each message:

log {

source(s_local);

if (message('a')) {

rewrite {

set("foo" value("app"));

set("bar" value("location"));

};

}

elif (message('b')) {

rewrite {

set("foob" value("app"));

set("barb" value("location"));

};

}

else {

rewrite {

set("default" value("app"));

set("default" value("location"));

};

destination {

file("/dev/stdout" template("$app $location\n"));

};

Something like this.

Kokan

On Fri, Mar 22, 2019 at 2:37 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> wrote:

Is there a way to set variables in syslog-ng?

I have a log path with about 20 if/else branches and each one does a unnamed destination for that branch:

log {
source(pan_splunk);
if ( tags('mytag') ) {
destination {
file("/var/log/remote/backup/$HOST/asa/${HOST}_asa.log"
create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750));
};
} elif ( message('something else') ) {
destination {
file("/var/log/remote/backup/$HOST/pubfw/${HOST}_pubfw.log"
create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750));
};
} elif {
filter { message('foo') or
message('bar') or
message('baz') or
...

I'd need to introduce another directory level as a variable and I'd also like to change an existing part of the path to a variable so that then I could then do something like this:

if ( tags('mytag') ) {
app = asa
location = msfc
elif
...

and at the end I could then just do a single destination that had a file path with the variables
file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log"

Thanks,
-Mark

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq