[syslog-ng] 3.5 how to feed json object into syslog-ng with TAGS

Evan Rempel erempel at uvic.ca
Sun Mar 9 00:11:18 CET 2014 

A while back I was asking about the json parser and how to get the TAGS 
from the json object into the
TAGS of the syslog-ng internal structure so that I could make filters on 
them.

Now I am trying again, following Balazs suggestion of using set-tag(), 
however, I find that the rewrite

rewrite r_set_sometag {
     set-tag("sometag" condition(filter(f_should_set_sometag)) );
};

is not supported.

I thought that I would be able to use the filter in the log statement 
such as

log {
     source(s_some);
     log {
         filter(f_should_set_sometag);
         rewrite(r_set_sometag);
         destination(d_dest);
     };
};

This works for one tag, but I have multiple tags that I want to set 
which gives be a factorial(N)
branching sequence which is not feasible.

Using junction/channels ends up producing multiple output lines when 
multiple TAGS are set :-(

Can anyone think of a way to set an arbitrary set of TAGS on a syslog 
message given an
arbitrary set of "set-tag-flags" presented in other macro values?

Should the set-tag rewrite support conditionals?

Thanks in advance ... again.

Evan.

On 03/28/2013 09:56 PM, Balazs Scheidler wrote:
>
>
> Hi,
>
> the simplest way right now is the set-tag() rewrite operation, that 
> together with condition() might do the trick.
>
> I know there should be an easier way, but I'm afraid there isn't.
>
> I'm thinking about how this should work in the long term, but right 
> now I don't have a clear idea.
>
> ----- Original message -----
> > I have a situation where syslog-ng processes a syslog line, users
> > paserdb and does lots of work and finally sends the complete object via
> > json to an external application. This application does some thinking 
> and
> > based on some other data sources needs to send the log message back 
> into
> > syslog-ng with a different set of TAGS so that it gets routed through
> > syslog-ng to a different destination program.
> >
> > The problem I am having is that syslog-ng does not use the TAGS in the
> > incoming json object. The TAGS get replaced with the TAGS on the
> > "source" of the syslog-ng that reads the json object, and augmented 
> with
> > any patterndb processing.
> >
> > Can anyone think of a way to get some arbitrary set of TAGS 
> (possibly in
> > a different custom macro) placed into the TAGS macro so that all of  
> the
> > filters on tags can be used.
> >
> > For example, I could make a patterndb for each individual tag value, 
> and
> > invoke each patterndb on the MyTags value. If there is a match then tag
> > the message with the TAG. I would need to know all of the TAGS in
> > advance and would probably not perform all that well, but it would 
> work.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140308/23cb8cb4/attachment.htm

More information about the syslog-ng mailing list