Hi, the simplest way right now is the set-tag() rewrite operation, that together with condition() might do the trick. I know there should be an easier way, but I'm afraid there isn't. I'm thinking about how this should work in the long term, but right now I don't have a clear idea. ----- Original message -----
I have a situation where syslog-ng processes a syslog line, users paserdb and does lots of work and finally sends the complete object via json to an external application. This application does some thinking and based on some other data sources needs to send the log message back into syslog-ng with a different set of TAGS so that it gets routed through syslog-ng to a different destination program.
The problem I am having is that syslog-ng does not use the TAGS in the incoming json object. The TAGS get replaced with the TAGS on the "source" of the syslog-ng that reads the json object, and augmented with any patterndb processing.
Can anyone think of a way to get some arbitrary set of TAGS (possibly in a different custom macro) placed into the TAGS macro so that all of the filters on tags can be used.
For example, I could make a patterndb for each individual tag value, and invoke each patterndb on the MyTags value. If there is a match then tag the message with the TAG. I would need to know all of the TAGS in advance and would probably not perform all that well, but it would work.
Thanks in advance for any other suggestions.
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq