[syslog-ng] how to stop the processing if the filter return true?
Jorge Pereira
jpereiran at gmail.com
Tue Dec 6 23:07:48 UTC 2016
Hi folks,
Basically, in my setup, I received a jSON and the all usual (default)
syslog packets in my server. But, I have a simple filter
"f_blacklist_network_by_clientip" based in a jSON field. everything works
well, the problem is because when my filter
"f_blacklist_network_by_clientip" return OK, the junction() goes to the
next statement processing the d_default_handler() destination.
My doubt is: how to stop the processing when my filter
f_blacklist_network_by_clientip() returns OK?
*<SNIP>*
log {
source(s_internet);
junction {
channel {
filter(f_wb_access_log);
parser(p_msg2json);
filter(f_blacklist_network_by_clientip);
destination(d_wb_access_log);
flags(final);
};
# Default destination
channel {
* # DOUBT: how to don't processing if the
f_blacklist_network_by_clientip return OK?*
destination(d_default_handler);
};
};
};
filter f_wb_access_log { program("wb_access"); };
parser p_msg2json { json-parser( marker("") prefix("j.")); };
filter f_blacklist_network_by_clientip {
not match("^127\.0\.", value("j.clientip"));
not match("^172\.16\.", value("j.clientip"));
not match("^172\.26\.", value("j.clientip"));
not match("^172\.31\.", value("j.clientip"));
* # if match, stop the processing and don't jump to "channel {
destination(d_default_handler); };*
};
destination d_wb_access_log {
file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_access}_access.log"
create_dirs(yes) template("${MSG}\n")
);
};
destination d_default_handler {
file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:-invalid_facility}.log"
create_dirs(yes)
);
};
*</SNIP>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161206/afb2028f/attachment.html>
More information about the syslog-ng
mailing list