On Friday, December 16, 2011 21:59 CET, Patrick Hemmer <syslogng@feystorm.net> wrote:
Would it be possible to set tags on a message when it is matched by a `log {}` statement? This would be useful for complex log configurations so you could filter out messages that were logged by previous `log {}` statements without having to write really long `filter {}`s.
I'm not sure if this is possible or not. Would depend on the order of operations, like if a filter block in a latter log statement is evaluated at the same time as an earlier filter block, or if its evaluated when it reaches the `log {}`.
Hi, currently that is possible only with a small workaround: using a rewrite rule to modify the $TAGS field of the message. Something like: rewrite r_rewrite_tag1 { set("$TAGS,tag1", value("TAGS"));}; Then a log statement would look like: log { source(s_local); filter(f_a); r_rewrite_tag1; destination(d_a); }; http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide... You can probably combine the filter and the rewrite into a single conditional rewrite rule to simplify the log statement. http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide... Regards, Robert
Such a config would look like
filter f_a { facility(mail); }; log { source(s_local); filter(f_a); destination(d_a); tags("tag1"); };
filter f_b { facility(local0); }; log { source(s_local); filter(f_b); destination(d_b); tags("tag1"); };
filter f_c { not tags("tag1"); }; log { source(s_local); filter(f_c); destination (d_c); }; ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq