On Feb 6, 2014 3:42 PM, "C. L. Martinez" <carlopmart@gmail.com> wrote:
>
> Hi all,
>
>  Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like this:
>
> rewrite r_rewrite_set{
>               set("myhost1", value("HOST")
> condition(program("myapplication1")));
>               set("myhost2", value("HOST")
> condition(program("myapplication2")));
>               set("myhost3", value("HOST")
> condition(program("myapplication3")));
>               set("myhost4", value("HOST")
> condition(program("myapplication4")));
> };
>

Well, this would sequentially evaluate the filters, and then apply the rewrite rule which matches.

If this is the only thing you want to change based on the program filter, then it should be ok.

If you have or will have more rewrites using the same condition, I'd use the junction syntax instead.

Junction {
   Log {
      Filter { program(...); };
      Rewrite {}
      Flags(final);
   }
   Log {};
   ...
}

This should break out at the first match, instead of trying to match all.

What's more this whole junction block can be created as a rewrite rule, and then referenced in multiple logpaths.

> ??
>
>  Is this a good option or maybe a performance penalty??
>
> Thanks.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>