A while back I was asking about the json parser and how to get the TAGS from the json object into the
TAGS of the syslog-ng internal structure so that I could make filters on them.

Now I am trying again, following Balazs suggestion of using set-tag(), however, I find that the rewrite

rewrite r_set_sometag {
    set-tag("sometag" condition(filter(f_should_set_sometag)) );
};

is not supported.

I thought that I would be able to use the filter in the log statement such as

log {
    source(s_some);
    log {
        filter(f_should_set_sometag);
        rewrite(r_set_sometag);
        destination(d_dest);
    };
};

This works for one tag, but I have multiple tags that I want to set which gives be a factorial(N)
branching sequence which is not feasible.

Using junction/channels ends up producing multiple output lines when multiple TAGS are set :-(

Can anyone think of a way to set an arbitrary set of TAGS on a syslog message given an
arbitrary set of "set-tag-flags" presented in other macro values?

Should the set-tag rewrite support conditionals?

Thanks in advance ... again.

Evan.

On 03/28/2013 09:56 PM, Balazs Scheidler wrote:


Hi,

the simplest way right now is the set-tag() rewrite operation, that together with condition() might do the trick.

I know there should be an easier way, but I'm afraid there isn't.

I'm thinking about how this should work in the long term, but right now I don't have a clear idea.

----- Original message -----
> I have a situation where syslog-ng processes a syslog line, users
> paserdb and does lots of work and finally sends the complete object via
> json to an external application. This application does some thinking and
> based on some other data sources needs to send the log message back into
> syslog-ng with a different set of TAGS so that it gets routed through
> syslog-ng to a different destination program.
>
> The problem I am having is that syslog-ng does not use the TAGS in the
> incoming json object. The TAGS get replaced with the TAGS on the
> "source" of the syslog-ng that reads the json object, and augmented with
> any patterndb processing.
>
> Can anyone think of a way to get some arbitrary set of TAGS (possibly in
> a different custom macro) placed into the TAGS macro so that all of  the
> filters on tags can be used.
>
> For example, I could make a patterndb for each individual tag value, and
> invoke each patterndb on the MyTags value. If there is a match then tag
> the message with the TAG. I would need to know all of the TAGS in
> advance and would probably not perform all that well, but it would work.