Multiple rewrite conditions under 3.4.x
Hi all, Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like this: rewrite r_rewrite_set{ set("myhost1", value("HOST") condition(program("myapplication1"))); set("myhost2", value("HOST") condition(program("myapplication2"))); set("myhost3", value("HOST") condition(program("myapplication3"))); set("myhost4", value("HOST") condition(program("myapplication4"))); }; ?? Is this a good option or maybe a performance penalty?? Thanks.
Hi, On Thu, Feb 06, 2014 at 02:41:47PM +0000, C. L. Martinez wrote:
Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like this:
I have done this before, although I had non conditional rewrites. I guess this makes no difference. As for performance, maybe you'd better setup a patterndb, but I can't tell which will outperform the other. Try both and make a microbenchmark then report back to the list :) Cheers
On Feb 6, 2014 3:42 PM, "C. L. Martinez" <carlopmart@gmail.com> wrote:
Hi all,
Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x
like this:
rewrite r_rewrite_set{ set("myhost1", value("HOST") condition(program("myapplication1"))); set("myhost2", value("HOST") condition(program("myapplication2"))); set("myhost3", value("HOST") condition(program("myapplication3"))); set("myhost4", value("HOST") condition(program("myapplication4"))); };
Well, this would sequentially evaluate the filters, and then apply the rewrite rule which matches. If this is the only thing you want to change based on the program filter, then it should be ok. If you have or will have more rewrites using the same condition, I'd use the junction syntax instead. Junction { Log { Filter { program(...); }; Rewrite {} Flags(final); } Log {}; ... } This should break out at the first match, instead of trying to match all. What's more this whole junction block can be created as a rewrite rule, and then referenced in multiple logpaths.
??
Is this a good option or maybe a performance penalty??
Thanks.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Sat, Feb 8, 2014 at 6:11 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
On Feb 6, 2014 3:42 PM, "C. L. Martinez" <carlopmart@gmail.com> wrote:
Hi all,
Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like this:
rewrite r_rewrite_set{ set("myhost1", value("HOST") condition(program("myapplication1"))); set("myhost2", value("HOST") condition(program("myapplication2"))); set("myhost3", value("HOST") condition(program("myapplication3"))); set("myhost4", value("HOST") condition(program("myapplication4"))); };
Well, this would sequentially evaluate the filters, and then apply the rewrite rule which matches.
If this is the only thing you want to change based on the program filter, then it should be ok.
If you have or will have more rewrites using the same condition, I'd use the junction syntax instead.
Junction { Log { Filter { program(...); }; Rewrite {} Flags(final); } Log {}; ... }
This should break out at the first match, instead of trying to match all.
Thanks Balazs and sorry for this late response. I like the idea of being able to use junctions but I don't see very clear how to setup. For example, my actual syslog-ng.conf works using conditionals rewrites: @version: 3.4 options { log_fifo_size(30000); use_dns (no); use_fqdn (no); keep_hostname (yes); stats_level(2); }; source s_network { # no-multi-line means parse message as-is, newlines included, to allow for multi-line messages tcp(port(10514) flags(no-multi-line)); udp(port(10514) flags(no-multi-line)); }; rewrite r_custom_hosts { set("1.1.1.1", value("HOST") condition(program("app1"))); set("2.2.2.2", value("HOST") condition(program("app2"))); set("3.3.3.3", value("HOST") condition(program("app3"))); }; destination d_test { file("/tmp/test.log"); }; log { source(s_network); rewrite(r_custom_hosts); log { destination(d_test); flags(flow-control,final); }; }; Using junctions, would it be like this? @version: 3.4 options { log_fifo_size(30000); use_dns (no); use_fqdn (no); keep_hostname (yes); stats_level(2); }; source s_network { # no-multi-line means parse message as-is, newlines included, to allow for multi-line messages tcp(port(10514) flags(no-multi-line)); udp(port(10514) flags(no-multi-line)); }; destination d_test { file("/tmp/test.log"); }; log { source(s_network); junction { filter { program("app1") }; rewrite { set("1.1.1.1", value("HOST") }; flags(final); }; junction { filter { program("app2") }; rewrite { set("2.2.2.2", value("HOST") }; flags(final); }; rewrite(r_custom_hosts); log { destination(d_test); flags(flow-control,final); }; };
junction { log { ... }; log { ... }; }
participants (3)
-
Balazs Scheidler
-
C. L. Martinez
-
Fabien Wernli