[syslog-ng] how to stop the processing if the filter return true?

Jorge Pereira jpereiran at gmail.com
Tue Dec 6 23:07:48 UTC 2016


Hi folks,

Basically, in my setup, I received a jSON and the all usual (default)
syslog packets in my server. But, I have a simple filter
"f_blacklist_network_by_clientip" based in a jSON field. everything works
well, the problem is because when my filter
"f_blacklist_network_by_clientip" return OK, the junction() goes to the
next statement processing the d_default_handler() destination.

My doubt is: how to stop the processing when my filter
f_blacklist_network_by_clientip() returns OK?

*<SNIP>*
log {
    source(s_internet);

    junction {
         channel {
            filter(f_wb_access_log);
            parser(p_msg2json);
            filter(f_blacklist_network_by_clientip);
            destination(d_wb_access_log);
            flags(final);
        };

        # Default destination
        channel {
*            # DOUBT: how to don't processing if the
f_blacklist_network_by_clientip return OK?*
            destination(d_default_handler);
        };
    };
};

filter f_wb_access_log {  program("wb_access"); };
parser p_msg2json { json-parser( marker("") prefix("j.")); };

filter f_blacklist_network_by_clientip {
    not match("^127\.0\.", value("j.clientip"));
    not match("^172\.16\.", value("j.clientip"));
    not match("^172\.26\.", value("j.clientip"));
    not match("^172\.31\.", value("j.clientip"));
*    # if match, stop the processing and don't jump to "channel {
destination(d_default_handler); };*
};

destination d_wb_access_log {

file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_access}_access.log"
         create_dirs(yes) template("${MSG}\n")
    );
};

destination d_default_handler {

file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:-invalid_facility}.log"
         create_dirs(yes)
    );
};

*</SNIP>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161206/afb2028f/attachment.html>


More information about the syslog-ng mailing list