[syslog-ng] Rewrite Rule Syntax Confusion

Balazs Scheidler bazsi at balabit.hu
Thu Sep 2 17:39:22 CEST 2010 

On Thu, 2010-08-26 at 17:50 -0700, Matthew Hall wrote:
> Hello all,
> 
> I am trying to make a combination of a template and a rewrite rule to 
> write my messages into an extension of WELF format to make them easier 
> to process downstream (the entire point of patterndb I guess).
> 
> The template part was trivial and works perfectly. I just used some 
> regex hacking to extract all 45 variable names I used in my patterndbs, 
> then used gawk to dump them out into a giant (escaped) string like this, 
> and pasted it to the config file.
> 
> template("var1=\"$var1\" var2=\"$var2\" ...\n");
> 
> One minor thing: Currently I am forced to expand varfoo="$varfoo" even 
> if the value of $varfoo is empty because a particular message did not 
> contain "$varfoo".
> 
> I suspect I could fix this by writing a C plugin which checks the length 
> before expanding but I wondered if there were an easier way.
> 
> Else maybe we could make this WELF output techniquie available for 
> everybody because I think the problem could be very common. In any case 
> I can always make the downstream ignore empty expansions for now.

It'd make sense to create a template function for this. I have some
pending patches stuffed somewhere which implements

$(function ...)

to be used in templates. I'm trying to dig that out so you could simply
use:

template("$(format-welf-values)");

Adding plugins into the mixture (the patch is for pre-plugins syslog-ng)
would allow to add plugins implementing template functions.

> 
> The only problem: I want one field at the end of the message to be named 
> 'raw' and contain a double-quote-escaped copy of the raw message. That 
> way if the message contains double quote characters it won't break a 
> parser because they will be escaped right.
> 
> Here is how I thought of doing this after reading the manual:
> 
> rewrite r_add_raw {
>     subst("\"", "\\\"", value("$MSGHDR$MSG"), flags("global")), value("raw"));
> }

you cannot nest rewrite statements, but you can call multiple rewrite
expressions:

rewrite r_add_raw {
	set("$MSGHDR$MSG" value("raw"));
	subst("\"", "\\\"" value("raw"));
};

but again the template function would apply again (not there yet
though):

set("$(escape-quotes $MSGHDR$MSG)" value("raw"));

> 
> However I am getting hit with this syntax error:
> 
> WARNING: Your configuration uses a newly introduced reserved word as 
> identifier, please use a different name; keyword='subst', 
> filename='welf.conf', line='2'
> 
> Apparently I did it wrong, or there is a reason I can't call set on my 
> raw variable to set the raw variable to the double quote escaped string 
> subst'ed from input message in $MSGHDR$MSG. I really hope somebody can 
> comment about how to fix it so that double quotes in the input won't 
> blow things up.
> 
> For now I worked around it temporarily just to get up and running by 
> adding raw=\"$MSGHDR$MSG\" to the end of my template just to see if it 
> would work OK and it does work OK when you don't have double quotes in 
> there.

Hope this helps.

-- 
Bazsi

More information about the syslog-ng mailing list