Thank you both, this is very helpful. I can use this. Is it only possible to set variables by adding to the message? Can variables exist outside of the message? -Mark From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Péter, Kókai Sent: Saturday, March 23, 2019 4:34 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Setting and using variables Hello, You could use *rewrite* rule to add nv-pair to each message: log { source(s_local); if (message('a')) { rewrite { set("foo" value("app")); set("bar" value("location")); }; } elif (message('b')) { rewrite { set("foob" value("app")); set("barb" value("location")); }; } else { rewrite { set("default" value("app")); set("default" value("location")); }; }; destination { file("/dev/stdout" template("$app $location\n")); }; }; Something like this. -- Kokan On Fri, Mar 22, 2019 at 2:37 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov<mailto:mark.faine@nasa.gov>> wrote: Is there a way to set variables in syslog-ng? I have a log path with about 20 if/else branches and each one does a unnamed destination for that branch: log { source(pan_splunk); if ( tags('mytag') ) { destination { file("/var/log/remote/backup/$HOST/asa/${HOST}_asa.log" create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750)); }; } elif ( message('something else') ) { destination { file("/var/log/remote/backup/$HOST/pubfw/${HOST}_pubfw.log" create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750)); }; } elif { filter { message('foo') or message('bar') or message('baz') or ... I'd need to introduce another directory level as a variable and I'd also like to change an existing part of the path to a variable so that then I could then do something like this: if ( tags('mytag') ) { app = asa location = msfc elif ... and at the end I could then just do a single destination that had a file path with the variables file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log" Thanks, -Mark ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=YY8TzLxmhOq_o7pu7ONHbV6I7OVpIy1P7TQUfp_hm8M&e=> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=DrlT7sUf5X_xKiPK3ca7WDhiw-xr4D7mtnSfL2yXiAQ&e=> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=LvSPfbLLubjWgsCznHSgC7oIi6YzCi5LjVylqe_y5f8&e=>