I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:

parser {

channel {

parser { db-parser(); };

       rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); };
       rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); };
    };

};

We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.

My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.

--
Bazsi

On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi Mark,

You can use template functions in patterndb [1].
The idea is to add a value to the matched message, which contains the result
of a template function. You could for instance use the "if" function:

<values>
<value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value>
</values>

If you need anything more complex, and if you are using the 3.7.x series,
you could even use a python script using the "python" template function.

Cheers

[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq