On Sat, 2011-12-17 at 20:26 +0100, Fekete RĂ³bert wrote:
On Friday, December 16, 2011 21:59 CET, Patrick Hemmer <syslogng@feystorm.net> wrote:
Would it be possible to set tags on a message when it is matched by a `log {}` statement? This would be useful for complex log configurations so you could filter out messages that were logged by previous `log {}` statements without having to write really long `filter {}`s.
I'm not sure if this is possible or not. Would depend on the order of operations, like if a filter block in a latter log statement is evaluated at the same time as an earlier filter block, or if its evaluated when it reaches the `log {}`.
Hi,
currently that is possible only with a small workaround: using a rewrite rule to modify the $TAGS field of the message.
Something like: rewrite r_rewrite_tag1 { set("$TAGS,tag1", value("TAGS"));};
No, this wouldn't work. $TAGS is read-only right now.
Then a log statement would look like:
log { source(s_local); filter(f_a); r_rewrite_tag1; destination(d_a); };
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide...
You can probably combine the filter and the rewrite into a single conditional rewrite rule to simplify the log statement.
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide...
Would it not be enought to use the flags(final) rule on log statements, perhaps using embedded log {} statements? This is equivalent to your configuration: filter f_a { facility(mail); }; log { source(s_local); filter(f_a); destination(d_a); flags(final); }; filter f_b { facility(local0); }; log { source(s_local); filter(f_b); destination(d_b); flags(final); }; log { source(s_local); destination (d_c); }; -- Bazsi