Hello, In short: only messages can have *variables*. Approach #1 Let's imagine that for example a *logpath* can have variable. Create the following construct: log { var("location", "space"); var("app", "sputnik-1"); }; Also do it in a way that those variables scope and lifetime are limited to the that *logpath*. (Which is just an arbitrary choose, but also somehow makes sense at first glance.) Your configuration would be as follows: log { source(s_local); if (message('a')) { var("app", "foo"); var("location" "bar"); } elif (message('b')) { var("app", "foob"); var("location" "barb"); } else { var("app", "default"); var("location" "default"); }; destination { file("/dev/stdout" template("$app $location\n")); }; }; The *if-else* actually just a *logpath* in the background - can be rewritten so it became a *log*, so our scope would still apply. When the message reaches the *destination* it cannot see the *variable* as neither its lifetime and scope allows it. This approach won't solve this issue. Approach #2 The same as above but let's patch the lifetime/scope issue. Let's increase both of them to be available from parent (global can be done, but won't change much). log { log { var("location", "space"); var("app", "sputnik-1"); }; #location works here }; #but not here In this case the variable collide with each other, there is no useful merge strategy (imho).
From this it seems that even if *logpath* could have variable support, it would not solve your issue. At least I do not see a proper way to do it on paper.
Also I think from the above it feels like it is actually a property of the message nor the pipeline it traverse. If you have an idea that solves the above issue I would be happy to hear it. -- Kokan On Mon, Mar 25, 2019 at 2:07 PM Faine, Mark R. (MSFC-IS40)[NICS] < mark.faine@nasa.gov> wrote:
Thank you both, this is very helpful. I can use this. Is it only possible to set variables by adding to the message? Can variables exist outside of the message?
-Mark
*From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> *On Behalf Of *Péter, Kókai *Sent:* Saturday, March 23, 2019 4:34 AM *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* Re: [syslog-ng] Setting and using variables
Hello,
You could use *rewrite* rule to add nv-pair to each message:
log {
source(s_local);
if (message('a')) {
rewrite {
set("foo" value("app"));
set("bar" value("location"));
};
}
elif (message('b')) {
rewrite {
set("foob" value("app"));
set("barb" value("location"));
};
}
else {
rewrite {
set("default" value("app"));
set("default" value("location"));
};
};
destination {
file("/dev/stdout" template("$app $location\n"));
};
};
Something like this.
--
Kokan
On Fri, Mar 22, 2019 at 2:37 PM Faine, Mark R. (MSFC-IS40)[NICS] < mark.faine@nasa.gov> wrote:
Is there a way to set variables in syslog-ng?
I have a log path with about 20 if/else branches and each one does a unnamed destination for that branch:
log { source(pan_splunk); if ( tags('mytag') ) { destination { file("/var/log/remote/backup/$HOST/asa/${HOST}_asa.log" create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750)); }; } elif ( message('something else') ) { destination { file("/var/log/remote/backup/$HOST/pubfw/${HOST}_pubfw.log" create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750)); }; } elif { filter { message('foo') or message('bar') or message('baz') or ...
I'd need to introduce another directory level as a variable and I'd also like to change an existing part of the path to a variable so that then I could then do something like this:
if ( tags('mytag') ) { app = asa location = msfc elif ...
and at the end I could then just do a single destination that had a file path with the variables file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log"
Thanks, -Mark
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=YY8TzLxmhOq_o7pu7ONHbV6I7OVpIy1P7TQUfp_hm8M&e=> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=DrlT7sUf5X_xKiPK3ca7WDhiw-xr4D7mtnSfL2yXiAQ&e=> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=LvSPfbLLubjWgsCznHSgC7oIi6YzCi5LjVylqe_y5f8&e=>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq