Hello,

In short: only messages can have *variables*.

Approach #1
Let's imagine that for example a *logpath* can have variable. Create the following construct:

log {
  var("location", "space");
  var("app", "sputnik-1");
};

Also do it in a way that those variables scope and lifetime are limited to the that *logpath*. (Which is just an arbitrary choose, but also somehow makes sense at first glance.)

Your configuration would be as follows: 

log {
        source(s_local);

        if (message('a')) {
                var("app", "foo");
                var("location" "bar");
        }
        elif (message('b')) {
                var("app", "foob");
                var("location" "barb");
        }
        else {
                var("app", "default");
                var("location" "default");
        };

        destination {
                file("/dev/stdout" template("$app $location\n"));
        };
};

The *if-else* actually just a *logpath* in the background - can be rewritten so it became a *log*, so our scope would still apply.

When the message reaches the *destination* it cannot see the *variable* as neither its lifetime and scope allows it.

This approach won't solve this issue.

Approach #2

The same as above but let's patch the lifetime/scope issue. Let's increase both of them to be available from parent (global can be done, but won't change much).
log {
log {
  var("location", "space");
  var("app", "sputnik-1");
};
  #location works here
};
#but not here

In this case the variable collide with each other, there is no useful merge strategy (imho).


From this it seems that even if *logpath* could have variable support, it would not solve your issue. At least I do not see a proper way to do it on paper.

Also I think from the above it feels like it is actually a property of the message nor the pipeline it traverse.


If you have an idea that solves the above issue I would be happy to hear it.



--
Kokan

On Mon, Mar 25, 2019 at 2:07 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> wrote:

Thank you both, this is very helpful.  I can use this.  Is it only possible to set variables by adding to the message?  Can variables exist outside of the message?

 

-Mark

 

 

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Péter, Kókai
Sent: Saturday, March 23, 2019 4:34 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Setting and using variables

 

Hello,

 

You could use *rewrite* rule to add nv-pair to each message:

 

log {

        source(s_local);

 

        if (message('a')) {

                rewrite {

                        set("foo" value("app"));

                        set("bar" value("location"));

                };

        }

        elif (message('b')) {

                rewrite {

                        set("foob" value("app"));

                        set("barb" value("location"));

                };

        }

        else {

                rewrite {

                        set("default" value("app"));

                        set("default" value("location"));

                };

        };

 

 

        destination {

                file("/dev/stdout" template("$app $location\n"));

        };

};

 

Something like this.

 

--

Kokan

 

 

On Fri, Mar 22, 2019 at 2:37 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> wrote:

Is there a way to set variables in syslog-ng?

I have a log path with about 20  if/else branches and each one does a unnamed destination for that branch:

log {
     source(pan_splunk);
     if ( tags('mytag') ) {
         destination {
           file("/var/log/remote/backup/$HOST/asa/${HOST}_asa.log"
           create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750));
         };
     } elif ( message('something else') ) {
         destination {
           file("/var/log/remote/backup/$HOST/pubfw/${HOST}_pubfw.log"
           create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750));
         };
     } elif {
         filter { message('foo')   or
             message('bar')           or
             message('baz')  or
     ...

I'd need to introduce another directory level as a variable and I'd also like to change an existing part of the path to a variable so that then I could then do something like this:

if ( tags('mytag') ) {
    app = asa
    location = msfc
elif
...

and at the end I could then just do a single destination that had a file path with the variables
file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log"

Thanks,
-Mark



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq