Hi folks,Basically, in my setup, I received a jSON and the all usual (default) syslog packets in my server. But, I have a simple filter "f_blacklist_network_by_clientip" based in a jSON field. everything works well, the problem is because when my filter "f_blacklist_network_by_ clientip" return OK, the junction() goes to the next statement processing the d_default_handler() destination. My doubt is: how to stop the processing when my filter f_blacklist_network_by_clientip() returns OK? <SNIP>log {source(s_internet);junction {channel {filter(f_wb_access_log);parser(p_msg2json);filter(f_blacklist_network_by_clientip); destination(d_wb_access_log);flags(final);};# Default destinationchannel {# DOUBT: how to don't processing if the f_blacklist_network_by_clientip return OK? destination(d_default_handler); };};};filter f_wb_access_log { program("wb_access"); };parser p_msg2json { json-parser( marker("") prefix("j.")); };filter f_blacklist_network_by_clientip { not match("^127\.0\.", value("j.clientip"));not match("^172\.16\.", value("j.clientip"));not match("^172\.26\.", value("j.clientip"));not match("^172\.31\.", value("j.clientip"));# if match, stop the processing and don't jump to "channel { destination(d_default_handler); }; };destination d_wb_access_log {file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_ access}_access.log" create_dirs(yes) template("${MSG}\n"));};destination d_default_handler {file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:- invalid_facility}.log" create_dirs(yes));};</SNIP>
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq