[syslog-ng] Rewrite syslog priority
Nagy, Gábor
gabor.nagy at balabit.com
Wed Mar 7 15:31:47 UTC 2018
Hello Kaleem!
I'm afraid modifying the PRIORITY field of the log message is still not
supported as it is a hard-macro in syslog-ng and thus it is *read-only*:
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html
Basically, you would like to control the feature on config block level
(e.g. in a rewrite rule or in a filter, etc.) which can be freely included
in any log path.
As a solution, you can use the same conditional rewrite rule, set a new
name-value pair with the desired priority and use the template always in
the destination.
There is no problem if you don't use the rewrite rule in a log path while
the destination is trying to expand the `MY_PRI` field as it would simply
evaluate to an empty string.
Config example:
rewrite r_set_priority {
set("<185> " value(MY_PRI) condition(filter(f_syslogd1);) );
};
destination d_stdout {
file("/dev/stdout"
template("${MY_PRI}${ISODATE} ${HOST} ${MSGHDR}${MSG}\n")
);
};
log {
....
rewrite(r_set_priority);
destination(d_stdout);
};
I was thinking about other ways, junctions or multiple log paths with the
same destinations(except one destination would have the template),
but those would increase the config complexity or just ugly.
Gabor
On Wed, Mar 7, 2018 at 12:48 PM, Kaleemulla Sharief (kasharie) <
kasharie at cisco.com> wrote:
> Hi,
>
>
>
> Is there support to change the syslog **priority**** using rewrite? While
> I read it was not supported earlier but was planned for syslog-ng 3.2
> (apologies if this is a wrong source), can someone help me with an example
> if it was added in any of the releases later ? Below did not work for me
> with syslog-ng 3.5.6 to change debug syslog to alert.
>
>
>
> filter f_syslogd1 { match("%OS-PCE-7-CSPF_FALLBACK") and priority(debug);
> };
>
>
>
> rewrite r_rewrite_set{set("1", value("PRIORITY")
> condition(filter(f_syslogd1)));}; #Neither 1 without quotes
>
> log { source(s_syslog_514); rewrite (r_rewrite_set); destination(d_syslog); };
>
>
>
> I am able to achieve this using the template hack something like below
> (changing to local7.alert=185) but the problem is while I can use the
> template inside destination definition, rewrite can be used under log
> section so that I can re-use same destination with different filters with
> or without rewrite, below will get applied to all syslogs to destination
> d_syslog which is not my requirement. How can I combine filters with
> template on same destination if rewrite is not supported. Appreciate any
> suggestions.
>
> template t_asm {
>
> template("<185> $DATE $HOST $MSGHDR$MSG\n");
>
> template_escape(no);
>
> };
>
>
>
> destination d_syslog
>
> {udp("server-001" port(514) spoof_source(yes) template(t_asm));
>
> };
>
>
>
> Regards
>
> ~ Kaleem
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180307/1a7818ff/attachment.html>
More information about the syslog-ng
mailing list