[syslog-ng] set tag in log statement

[Balazs Scheidler]

On Sat, 2011-12-17 at 20:26 +0100, Fekete Róbert wrote:
> On Friday, December 16, 2011 21:59 CET, Patrick Hemmer <syslogng at feystorm.net> wrote: 
>  
> > Would it be possible to set tags on a message when it is matched by a 
> > `log {}` statement? This would be useful for complex log configurations 
> > so you could filter out messages that were logged by previous `log {}` 
> > statements without having to write really long `filter {}`s.
> > 
> > I'm not sure if this is possible or not. Would depend on the order of 
> > operations, like if a filter block in a latter log statement is 
> > evaluated at the same time as an earlier filter block, or if its 
> > evaluated when it reaches the `log {}`.
> 
> Hi, 
> 
> currently that is possible only with a small workaround: using a rewrite rule to modify the $TAGS field of the message.
> 
> Something like: 
> rewrite r_rewrite_tag1 { set("$TAGS,tag1", value("TAGS"));};
> 

No, this wouldn't work. $TAGS is read-only right now.

> Then a log statement would look like: 
> 
> log { source(s_local); filter(f_a); r_rewrite_tag1; destination(d_a); };
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/modifying-messages.html
> 
> You can probably combine the filter and the rewrite into a single conditional rewrite rule to simplify the log statement.
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/conditional-rewrite.html

Would it not be enought to use the flags(final) rule on log statements,
perhaps using embedded log {} statements?

This is equivalent to your configuration:

filter f_a { facility(mail); };
log { source(s_local); filter(f_a); destination(d_a); flags(final); };

filter f_b { facility(local0); };
log { source(s_local); filter(f_b); destination(d_b); flags(final); };

log { source(s_local); destination (d_c); };

-- 
Bazsi