[syslog-ng] Changing a value after a match with patterndb

Scheidler, Balázs balazs.scheidler at balabit.com
Tue Jan 12 18:19:30 CET 2016 

it was implemented in 2010, in syslog-ng 3.2 by this patch:

Author: Balazs Scheidler <bazsi at balabit.hu>  2010-07-29 09:59:53
Committer: Balazs Scheidler <bazsi at balabit.hu>  2010-07-29 09:59:53
Parent: aeab9e22207cb7700a0e0cfb359e2f1adc221301 (logrewrite: cleaned up
naming of subst specific methods)
Branches: master and many more (547)
Follows: v3.2alpha1
Precedes: v3.2beta1

    rewrite: implement condition() option for rewrite expressions

    This patch implements condition() option for rewrite expression, which
    makes it possible to only apply a given reply rule if the
    message matches the filter.

    For example:

        set("something new" condition(facility(auth)));

-- 
Bazsi

On Tue, Jan 12, 2016 at 5:54 PM, Mark Shetka <mshetka at d.umn.edu> wrote:

> Thanks. Do you know when set condition became available in rewrite?
>
> --
> Mark Shetka
> Infrastructure Analyst - Network Team
> Information Technology Systems & Services
> University of Minnesota - Duluth
> (218) 726-7682
>
> On Tue, Jan 12, 2016 at 10:15 AM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I
>> would use db-parser _only_ to extract name-value pairs and then do mappings
>> from syslog-ng configuration file:
>>
>> parser {
>>     channel {
>>        parser { db-parser(); };
>>        rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}"
>> == "23"))); };
>>        rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" ==
>> "22"))); };
>>     };
>> };
>>
>> We would definitely need to improve the syntax in the rewrite portion
>> though, and I am willing to invest some efforts in that direction.
>>
>> My point really is that db-parser() should be used for extraction, the
>> rest of the syntax language for munging/mapping.
>>
>> --
>> Bazsi
>>
>> On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli at in2p3.fr> wrote:
>>
>>> Hi Mark,
>>>
>>> You can use template functions in patterndb [1].
>>> The idea is to add a value to the matched message, which contains the
>>> result
>>> of a template function. You could for instance use the "if" function:
>>>
>>>     <values>
>>>       <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value>
>>>     </values>
>>>
>>> If you need anything more complex, and if you are using the 3.7.x series,
>>> you could even use a python script using the "python" template function.
>>>
>>> Cheers
>>>
>>> [1]
>>> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160112/d95f6d33/attachment.htm

More information about the syslog-ng mailing list