On Mon, 2009-02-09 at 11:36 -0500, Joe Shaw wrote:
Hi,
On Sun, Feb 8, 2009 at 10:08 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
Interesting idea. The only similar functionality what we have right now is the use of 'catch-all' flag. A catch-all log rule behaves as if _all_ sources would be specified. This is much less flexible what you have described though.
Is this enough for you?
Not exactly; I'd like some sources (such as internal()) to go to a local file and not over the wire to the centralized host.
Might be something to consider adding to a future roadmap... I'm sure it's not long enough. ;)
I'll see what I can do about this. What about the following idea: * make it possible to mark sources with tags * create a filter that matches tags Then you could do something like: source s_udp { udp(); tags(net); }; source s_tcp { tcp(); tags(net); }; filter f_net_messages { tags(net); }; log { flags(catch-all); filter(f_net_messages); destination(...); }; I'd have to work on the syntax a bit more, but I hope the general idea is visible. -- Bazsi