[syslog-ng] Changing a value after a match with patterndb

Mark Shetka mshetka at d.umn.edu
Tue Jan 12 17:54:29 CET 2016 

Thanks. Do you know when set condition became available in rewrite?

--
Mark Shetka
Infrastructure Analyst - Network Team
Information Technology Systems & Services
University of Minnesota - Duluth
(218) 726-7682

On Tue, Jan 12, 2016 at 10:15 AM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I
> would use db-parser _only_ to extract name-value pairs and then do mappings
> from syslog-ng configuration file:
>
> parser {
>     channel {
>        parser { db-parser(); };
>        rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}"
> == "23"))); };
>        rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" ==
> "22"))); };
>     };
> };
>
> We would definitely need to improve the syntax in the rewrite portion
> though, and I am willing to invest some efforts in that direction.
>
> My point really is that db-parser() should be used for extraction, the
> rest of the syntax language for munging/mapping.
>
> --
> Bazsi
>
> On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> Hi Mark,
>>
>> You can use template functions in patterndb [1].
>> The idea is to add a value to the matched message, which contains the
>> result
>> of a template function. You could for instance use the "if" function:
>>
>>     <values>
>>       <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value>
>>     </values>
>>
>> If you need anything more complex, and if you are using the 3.7.x series,
>> you could even use a python script using the "python" template function.
>>
>> Cheers
>>
>> [1]
>> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160112/44ff480f/attachment-0001.htm

More information about the syslog-ng mailing list