On Wednesday 06 March 2019, you wrote:

> Could you share your use case, where you wanted to "replace" log blocks?

My use case is the reducing  /var/log/messages when new software installed.
This can be implemented through the filter override but not so visual.

For example a base config:

==
...
filter f_mesgs          { level(info) and not facility(mail,authpriv); };
destination mesg        { file("/var/log/syslog/messages"); };

log { source(sys); filter(f_mesgs); destination(mesg); };
...
@include "/etc/syslog-ng/conf.d/*.conf"
==

Then I install Cyrus-IMAP for example.

== conf.d/cyrus-imap.conf ==
...
filter f_cyrus          { match("cyrus/"); };
filter f_not_cyrus      { not match("cyrus/"); };
...
log { source(sys); filter(f_cyrus); destination(cyrus); };
==

But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition.
I can redifine f_mesgs:

filter f_mesgs          { level(info) and not facility(mail,authpriv) and not match("cyrus/"); };

But the log override is more succinctly:

log { source(sys); filter(f_mesgs); filter (f_not_cyrus); destination(mesg); };

In this example, the "f_not_cyrus" filter is simple but they can be
more complex. The "f_mesg" filter can be difficult to read in the
result.

--
Regards, Sergey
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq