[syslog-ng] Multiple rewrite conditions under 3.4.x

Tue Feb 11 16:03:41 CET 2014

On Sat, Feb 8, 2014 at 6:11 AM, Balazs Scheidler <bazsi77 at gmail.com> wrote:
>
> On Feb 6, 2014 3:42 PM, "C. L. Martinez" <carlopmart at gmail.com> wrote:
>>
>> Hi all,
>>
>>  Is it possible to add multiple rewrite conditions in syslog-ng 3.4.x like
>> this:
>>
>> rewrite r_rewrite_set{
>>               set("myhost1", value("HOST")
>> condition(program("myapplication1")));
>>               set("myhost2", value("HOST")
>> condition(program("myapplication2")));
>>               set("myhost3", value("HOST")
>> condition(program("myapplication3")));
>>               set("myhost4", value("HOST")
>> condition(program("myapplication4")));
>> };
>>
>
> Well, this would sequentially evaluate the filters, and then apply the
> rewrite rule which matches.
>
> If this is the only thing you want to change based on the program filter,
> then it should be ok.
>
> If you have or will have more rewrites using the same condition, I'd use the
> junction syntax instead.
>
> Junction {
>    Log {
>       Filter { program(...); };
>       Rewrite {}
>       Flags(final);
>    }
>    Log {};
>    ...
> }
>
> This should break out at the first match, instead of trying to match all.
>
Thanks Balazs and sorry for this late response. I like the idea of
being able to use junctions but I don't see very clear how to setup.
For example, my actual syslog-ng.conf works using conditionals
rewrites:

@version: 3.4

options {
        log_fifo_size(30000);
        use_dns (no);
        use_fqdn (no);
        keep_hostname (yes);
        stats_level(2);
};

source s_network {
        # no-multi-line means parse message as-is, newlines included,
to allow for multi-line messages
        tcp(port(10514) flags(no-multi-line));
        udp(port(10514) flags(no-multi-line));
};

rewrite r_custom_hosts {
        set("1.1.1.1", value("HOST") condition(program("app1")));
        set("2.2.2.2", value("HOST") condition(program("app2")));
        set("3.3.3.3", value("HOST") condition(program("app3")));
};

destination d_test { file("/tmp/test.log"); };

log {
        source(s_network);
        rewrite(r_custom_hosts);
        log { destination(d_test); flags(flow-control,final); };
};

Using junctions, would it be like this?

@version: 3.4

options {
        log_fifo_size(30000);
        use_dns (no);
        use_fqdn (no);
        keep_hostname (yes);
        stats_level(2);
};

source s_network {
        # no-multi-line means parse message as-is, newlines included,
to allow for multi-line messages
        tcp(port(10514) flags(no-multi-line));
        udp(port(10514) flags(no-multi-line));
};

destination d_test { file("/tmp/test.log"); };

log {
        source(s_network);
        junction {
           filter { program("app1") };
           rewrite { set("1.1.1.1", value("HOST") };
           flags(final);
        };
        junction {
           filter { program("app2") };
           rewrite { set("2.2.2.2", value("HOST") };
           flags(final);
        };
        rewrite(r_custom_hosts);
        log { destination(d_test); flags(flow-control,final); };
};