[syslog-ng] set tag in log statement
Fekete Róbert
frobert at balabit.hu
Sat Dec 17 20:26:01 CET 2011
On Friday, December 16, 2011 21:59 CET, Patrick Hemmer <syslogng at feystorm.net> wrote:
> Would it be possible to set tags on a message when it is matched by a
> `log {}` statement? This would be useful for complex log configurations
> so you could filter out messages that were logged by previous `log {}`
> statements without having to write really long `filter {}`s.
>
> I'm not sure if this is possible or not. Would depend on the order of
> operations, like if a filter block in a latter log statement is
> evaluated at the same time as an earlier filter block, or if its
> evaluated when it reaches the `log {}`.
Hi,
currently that is possible only with a small workaround: using a rewrite rule to modify the $TAGS field of the message.
Something like:
rewrite r_rewrite_tag1 { set("$TAGS,tag1", value("TAGS"));};
Then a log statement would look like:
log { source(s_local); filter(f_a); r_rewrite_tag1; destination(d_a); };
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/modifying-messages.html
You can probably combine the filter and the rewrite into a single conditional rewrite rule to simplify the log statement.
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/conditional-rewrite.html
Regards,
Robert
>
> Such a config would look like
>
> filter f_a { facility(mail); };
> log { source(s_local); filter(f_a); destination(d_a); tags("tag1"); };
>
> filter f_b { facility(local0); };
> log { source(s_local); filter(f_b); destination(d_b); tags("tag1"); };
>
> filter f_c { not tags("tag1"); };
> log { source(s_local); filter(f_c); destination (d_c); };
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list