Basically, in my setup, I received a jSON and the all usual (default) syslog packets in my server. But, I have a simple filter "f_blacklist_network_by_clientip" based in a jSON field. everything works well, the problem is because when my filter "f_blacklist_network_by_clientip" return OK, the junction() goes to the next statement processing the d_default_handler() destination.
My doubt is: how to stop the processing when my filter f_blacklist_network_by_clientip() returns OK?
log {
source(s_internet);
junction {
channel {
filter(f_wb_access_log);
parser(p_msg2json);
filter(f_blacklist_network_by_clientip);
destination(d_wb_access_log);
flags(final);
};
# Default destination
channel {
# DOUBT: how to don't processing if the f_blacklist_network_by_clientip return OK?
destination(d_default_handler);
};
};
};
filter f_wb_access_log { program("wb_access"); };
parser p_msg2json { json-parser( marker("") prefix("j.")); };
filter f_blacklist_network_by_clientip {
not match("^127\.0\.", value("j.clientip"));
not match("^172\.16\.", value("j.clientip"));
not match("^172\.26\.", value("j.clientip"));
not match("^172\.31\.", value("j.clientip"));
# if match, stop the processing and don't jump to "channel { destination(d_default_handler); };
};
destination d_wb_access_log {
file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_access}_access.log"
create_dirs(yes) template("${MSG}\n")
);
};
destination d_default_handler {
file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:-invalid_facility}.log"
create_dirs(yes)
);
};