On Sat, Feb 8, 2014 at 6:11 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
On Feb 6, 2014 3:42 PM, "C. L. Martinez" <carlopmart@gmail.com> wrote:
Hi all,
Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like this:
rewrite r_rewrite_set{ set("myhost1", value("HOST") condition(program("myapplication1"))); set("myhost2", value("HOST") condition(program("myapplication2"))); set("myhost3", value("HOST") condition(program("myapplication3"))); set("myhost4", value("HOST") condition(program("myapplication4"))); };
Well, this would sequentially evaluate the filters, and then apply the rewrite rule which matches.
If this is the only thing you want to change based on the program filter, then it should be ok.
If you have or will have more rewrites using the same condition, I'd use the junction syntax instead.
Junction { Log { Filter { program(...); }; Rewrite {} Flags(final); } Log {}; ... }
This should break out at the first match, instead of trying to match all.
Thanks Balazs and sorry for this late response. I like the idea of being able to use junctions but I don't see very clear how to setup. For example, my actual syslog-ng.conf works using conditionals rewrites: @version: 3.4 options { log_fifo_size(30000); use_dns (no); use_fqdn (no); keep_hostname (yes); stats_level(2); }; source s_network { # no-multi-line means parse message as-is, newlines included, to allow for multi-line messages tcp(port(10514) flags(no-multi-line)); udp(port(10514) flags(no-multi-line)); }; rewrite r_custom_hosts { set("1.1.1.1", value("HOST") condition(program("app1"))); set("2.2.2.2", value("HOST") condition(program("app2"))); set("3.3.3.3", value("HOST") condition(program("app3"))); }; destination d_test { file("/tmp/test.log"); }; log { source(s_network); rewrite(r_custom_hosts); log { destination(d_test); flags(flow-control,final); }; }; Using junctions, would it be like this? @version: 3.4 options { log_fifo_size(30000); use_dns (no); use_fqdn (no); keep_hostname (yes); stats_level(2); }; source s_network { # no-multi-line means parse message as-is, newlines included, to allow for multi-line messages tcp(port(10514) flags(no-multi-line)); udp(port(10514) flags(no-multi-line)); }; destination d_test { file("/tmp/test.log"); }; log { source(s_network); junction { filter { program("app1") }; rewrite { set("1.1.1.1", value("HOST") }; flags(final); }; junction { filter { program("app2") }; rewrite { set("2.2.2.2", value("HOST") }; flags(final); }; rewrite(r_custom_hosts); log { destination(d_test); flags(flow-control,final); }; };