Can I OR filters when they are in the form filter(filter_name); such as
filter(f_foo); or filter(f_bar);
or does it have to be the long form:
filter { message='foo' or message='bar' }
The problem I'm having is that my filters are very large and I need to compare four of them for each message on the log path
and so I don't want to write them inline inside of the log path.
Thanks,
-Mark
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu>
On Behalf Of Nagy Gábor
Sent: Wednesday, March 23, 2022 10:03
To: wernli@in2p3.fr; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [EXTERNAL] Re: [syslog-ng] Value is dropped or unset in resolved destination template
Hi Mark,
Fabien is right, you should have a default value.
You are using the rewrite rules that set $location inside an if statement.
Maybe what happens is that in some cases a log doesn't match which leads to an unset $location.
Don't you have directories with $location's value too?
So you have both:
("`BASEPATH`//$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"
("`BASEPATH`/$location/$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"
Or $location is always empty on the destination side?
Gabor
Fabien Wernli <wernli@in2p3.fr> ezt írta (időpont: 2022. márc. 23., Sze, 15:04):
Hi Mark,
It's really hard to tell what's happening without seeing your full
configuration. Remember messages can go through multiple logpaths, some of
which the variables are probably empty in.
That being said, if I were you I'd use a default value for your macros in any
case, much safer e.g.:
destination d_default {
file("`BASEPATH`/${location:-hidden}/$(lowercase ${HOST})/${app:-unknown}/$(lowercase ${HOST})_${app:-unknown}.log"
create_dirs(yes)
flags("threaded", "no-multi-line"));
};
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq