that might be the case for the port mapping, however I think it would be nice to have map() as a rewrite operation, e.g. one that maps specific values to others. And also, improving the conditional evaluation somehow would be great.

Right now we have to do stuff like:

channel {

    log { filter(blabla); conditional processing here; flags(final); };
    log { filter(blabla2); conditional2 processing here; flags(final); };
    log { filter(blabla3); conditional3 processing here; flags(final); };

};

It would be _much_ nicer to have something like this:

channel {
    if (blabla) { conditional processing here; };
    if (blabla2) { conditional2 processing here; };
    if (blabla3) { conditional3 processing here; };

};

We could perhaps add else as well.

--
Bazsi

On Tue, Jan 12, 2016 at 5:25 PM, Tibor Benke <ihrwein@gmail.com> wrote:

AFAIK there is a getent() function in syslog-ng-incubator for the port -> protocol translation.

2016-01-12 17:15 GMT+01:00 Scheidler, Balázs <balazs.scheidler@balabit.com>:
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:

parser {
    channel {
       parser { db-parser(); };
       rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); };
       rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); };
    };
};

We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.

My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.

--
Bazsi

On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,

You can use template functions in patterndb [1].
The idea is to add a value to the matched message, which contains the result
of a template function. You could for instance use the "if" function:

<values>
<value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value>
</values>

If you need anything more complex, and if you are using the 3.7.x series,
you could even use a python script using the "python" template function.

Cheers

[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq