how to stop the processing if the filter return true?
Hi folks, Basically, in my setup, I received a jSON and the all usual (default) syslog packets in my server. But, I have a simple filter "f_blacklist_network_by_clientip" based in a jSON field. everything works well, the problem is because when my filter "f_blacklist_network_by_clientip" return OK, the junction() goes to the next statement processing the d_default_handler() destination. My doubt is: how to stop the processing when my filter f_blacklist_network_by_clientip() returns OK? *<SNIP>* log { source(s_internet); junction { channel { filter(f_wb_access_log); parser(p_msg2json); filter(f_blacklist_network_by_clientip); destination(d_wb_access_log); flags(final); }; # Default destination channel { * # DOUBT: how to don't processing if the f_blacklist_network_by_clientip return OK?* destination(d_default_handler); }; }; }; filter f_wb_access_log { program("wb_access"); }; parser p_msg2json { json-parser( marker("") prefix("j.")); }; filter f_blacklist_network_by_clientip { not match("^127\.0\.", value("j.clientip")); not match("^172\.16\.", value("j.clientip")); not match("^172\.26\.", value("j.clientip")); not match("^172\.31\.", value("j.clientip")); * # if match, stop the processing and don't jump to "channel { destination(d_default_handler); };* }; destination d_wb_access_log { file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_access}_access.log" create_dirs(yes) template("${MSG}\n") ); }; destination d_default_handler { file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:-invalid_facility}.log" create_dirs(yes) ); }; *</SNIP>*
Hi, you mean something like this? https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... On Wed, Dec 7, 2016 at 12:07 AM, Jorge Pereira <jpereiran@gmail.com> wrote:
Hi folks,
Basically, in my setup, I received a jSON and the all usual (default) syslog packets in my server. But, I have a simple filter "f_blacklist_network_by_clientip" based in a jSON field. everything works well, the problem is because when my filter "f_blacklist_network_by_clientip" return OK, the junction() goes to the next statement processing the d_default_handler() destination.
My doubt is: how to stop the processing when my filter f_blacklist_network_by_clientip() returns OK?
*<SNIP>* log { source(s_internet);
junction { channel { filter(f_wb_access_log); parser(p_msg2json); filter(f_blacklist_network_by_clientip); destination(d_wb_access_log); flags(final); };
# Default destination channel { * # DOUBT: how to don't processing if the f_blacklist_network_by_clientip return OK?* destination(d_default_handler); }; }; };
filter f_wb_access_log { program("wb_access"); }; parser p_msg2json { json-parser( marker("") prefix("j.")); };
filter f_blacklist_network_by_clientip { not match("^127\.0\.", value("j.clientip")); not match("^172\.16\.", value("j.clientip")); not match("^172\.26\.", value("j.clientip")); not match("^172\.31\.", value("j.clientip")); * # if match, stop the processing and don't jump to "channel { destination(d_default_handler); };* };
destination d_wb_access_log { file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_ access}_access.log" create_dirs(yes) template("${MSG}\n") ); };
destination d_default_handler { file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:- invalid_facility}.log" create_dirs(yes) ); };
*</SNIP>*
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Fekete, Róbert
-
Jorge Pereira