[syslog-ng] how to stop the processing if the filter return true?
Fekete, RĂ³bert
robert.fekete at balabit.com
Wed Dec 7 07:58:00 UTC 2016
Hi,
you mean something like this?
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/example-dropping-messages.html
On Wed, Dec 7, 2016 at 12:07 AM, Jorge Pereira <jpereiran at gmail.com> wrote:
> Hi folks,
>
> Basically, in my setup, I received a jSON and the all usual (default)
> syslog packets in my server. But, I have a simple filter
> "f_blacklist_network_by_clientip" based in a jSON field. everything works
> well, the problem is because when my filter "f_blacklist_network_by_clientip"
> return OK, the junction() goes to the next statement processing the
> d_default_handler() destination.
>
> My doubt is: how to stop the processing when my filter
> f_blacklist_network_by_clientip() returns OK?
>
> *<SNIP>*
> log {
> source(s_internet);
>
> junction {
> channel {
> filter(f_wb_access_log);
> parser(p_msg2json);
> filter(f_blacklist_network_by_clientip);
> destination(d_wb_access_log);
> flags(final);
> };
>
> # Default destination
> channel {
> * # DOUBT: how to don't processing if the
> f_blacklist_network_by_clientip return OK?*
> destination(d_default_handler);
> };
> };
> };
>
> filter f_wb_access_log { program("wb_access"); };
> parser p_msg2json { json-parser( marker("") prefix("j.")); };
>
> filter f_blacklist_network_by_clientip {
> not match("^127\.0\.", value("j.clientip"));
> not match("^172\.16\.", value("j.clientip"));
> not match("^172\.26\.", value("j.clientip"));
> not match("^172\.31\.", value("j.clientip"));
> * # if match, stop the processing and don't jump to "channel {
> destination(d_default_handler); };*
> };
>
> destination d_wb_access_log {
> file("/var/log/syslog-ng/wb/${j.webapp_domain:-invalid_gw_
> access}_access.log"
> create_dirs(yes) template("${MSG}\n")
> );
> };
>
> destination d_default_handler {
> file("/var/log/syslog-ng/servers/${HOST}/${FACILITY:-
> invalid_facility}.log"
> create_dirs(yes)
> );
> };
>
> *</SNIP>*
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161207/24ca344e/attachment.html>
More information about the syslog-ng
mailing list