[syslog-ng] add-contextual-data()

Fekete, Róbert robert.fekete at balabit.com
Wed Oct 19 07:14:44 UTC 2016 

Hi,

Currently the selector must be a string or a macro, and its value must
appear in the first field of the csv file. So you must either list every
possible IP address in the csv file, or somehow add the netmask/subnet as a
field to the message, and use that as the selector.
For example, if you do not have too many separate vlans/subnets, you could
try using conditional rewrites (
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/conditional-rewrite.html)
to replace the filter and set a custom field. Something like:

rewrite r_rewrite_set{set("43", value("MY_VLANID")
condition(netmask(192.168.1.0/24)));};

...

add-contextual-data(
        selector($MY_VLANID)
        database(“/opt/syslog-ng/etc/VLAN_Descriptions.csv")
        default-selector("unknown-hostname")
        );

...

And the first field of the CSV must be the VLANID value.


HTH,

Robert





On Wed, Oct 19, 2016 at 1:01 AM, Scot Needy <scotrn at gmail.com> wrote:

> Tried adding this way and seems to be looking for the tag rather than
> adding.
> Logging stopped for this filter.
>
> filter f_192_168_1_0 {
>         netmask(192.168.1.0/24);
>         tags(“VMware_ESX");
>         };
>
>
> > On Oct 18, 2016, at 6:12 PM, Scot Needy <scotrn at gmail.com> wrote:
> >
> >
> > Could I leverage this type of CSV to add VLAN ID and VLAN description
> tags if I already have
> >
> > filter f_192_168_1_0 { netmask(192.168.1.0/24);};
> >
> >
> > VLAN_Descriptions.csv
> > VLANID,       VLAN Description,       subnet/24
> > 43,   Database_#14141,        192.168.1.1/24
> >
> > filter f_192_168_1_0 {
> >       netmask(192.168.1.0/24);
> >       add-contextual-data(
> >       selector($IP is in f_192_168_1_0 or something specific?????/)
> >       database(“/opt/syslog-ng/etc/VLAN_Descriptions.csv")
> >       default-selector("unknown-hostname")
> >       );
> >
> > };
> >
> >
> >
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161019/4317e133/attachment.html>

More information about the syslog-ng mailing list