I've got two different log paths defined that have the same rewrite included in them. The second log path always causes the rewrite to overwrite the incorrect macro value.
######################## # Destinations ########################
destination dn_json { tcp( "logstash" port(10514) so_keepalive(yes) template("$(format_json --pair \@timestamp=\"$ISODATE\" message=\"$MESSAGE\" priority=\"$PRIORITY\" severity=\"$SEVERITY\" facility=\"$FACILITY\" program=\"$PROGRAM\" pid=\"$PID\" date=\"$R_DATE\" host=\"$HOST\" )\n") ); };
######################## #Rewrites ########################
rewrite r_no_pid{ set("0", value("PID") condition("$PID" =="")); };
######################## # Log paths # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement. ORDER MATTERS! #######################
Send all log events on to logstash log { source(s_remote); rewrite(r_no_pid); destination(dn_json); };
log { source(s_netloghost); rewrite(r_no_pid); destination(df_netloghost); destination(dn_opennms); destination(dn_json); };
If the above configuration is used the events that pass through the second log path have their MESSAGE macro overwritten as "0" instead of their PID macro as is defined in the r_no_pid rewrite rule. The events that pass through the first logpath behave as expected. If I comment out the first logpath then the second behaves as expected. -Dave