[syslog-ng] Rewrite syslog priority
Nagy, Gábor
gabor.nagy at balabit.com
Wed Mar 7 16:05:23 UTC 2018
Hi!
Sorry, but the above config has a problem:
if the rewrite rule is not appled then the original PRIORITY is not going
to be in the log message.
(I should'nt had test it with file destination :))
You have to save it first:
rewrite r_rew {
+ set("<${PRI}>" value(MY_PRI) );
set("<185>" value(MY_PRI) condition(filter(f_matches);) );
Regards,
Gabor
On Wed, Mar 7, 2018 at 4:31 PM, Nagy, Gábor <gabor.nagy at balabit.com> wrote:
> Hello Kaleem!
>
> I'm afraid modifying the PRIORITY field of the log message is still not
> supported as it is a hard-macro in syslog-ng and thus it is *read-only*:
> https://syslog-ng.com/documents/html/syslog-ng-ose-
> latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html
>
>
> Basically, you would like to control the feature on config block level
> (e.g. in a rewrite rule or in a filter, etc.) which can be freely included
> in any log path.
>
> As a solution, you can use the same conditional rewrite rule, set a new
> name-value pair with the desired priority and use the template always in
> the destination.
> There is no problem if you don't use the rewrite rule in a log path while
> the destination is trying to expand the `MY_PRI` field as it would simply
> evaluate to an empty string.
>
> Config example:
>
> rewrite r_set_priority {
> set("<185> " value(MY_PRI) condition(filter(f_syslogd1);) );
> };
> destination d_stdout {
> file("/dev/stdout"
> template("${MY_PRI}${ISODATE} ${HOST} ${MSGHDR}${MSG}\n")
> );
> };
> log {
> ....
> rewrite(r_set_priority);
> destination(d_stdout);
> };
>
>
>
> I was thinking about other ways, junctions or multiple log paths with the
> same destinations(except one destination would have the template),
> but those would increase the config complexity or just ugly.
>
>
> Gabor
>
> On Wed, Mar 7, 2018 at 12:48 PM, Kaleemulla Sharief (kasharie) <
> kasharie at cisco.com> wrote:
>
>> Hi,
>>
>>
>>
>> Is there support to change the syslog **priority**** using rewrite?
>> While I read it was not supported earlier but was planned for syslog-ng 3.2
>> (apologies if this is a wrong source), can someone help me with an example
>> if it was added in any of the releases later ? Below did not work for me
>> with syslog-ng 3.5.6 to change debug syslog to alert.
>>
>>
>>
>> filter f_syslogd1 { match("%OS-PCE-7-CSPF_FALLBACK") and
>> priority(debug); };
>>
>>
>>
>> rewrite r_rewrite_set{set("1", value("PRIORITY")
>> condition(filter(f_syslogd1)));}; #Neither 1 without quotes
>>
>> log { source(s_syslog_514); rewrite (r_rewrite_set); destination(d_syslog); };
>>
>>
>>
>> I am able to achieve this using the template hack something like below
>> (changing to local7.alert=185) but the problem is while I can use the
>> template inside destination definition, rewrite can be used under log
>> section so that I can re-use same destination with different filters with
>> or without rewrite, below will get applied to all syslogs to destination
>> d_syslog which is not my requirement. How can I combine filters with
>> template on same destination if rewrite is not supported. Appreciate any
>> suggestions.
>>
>> template t_asm {
>>
>> template("<185> $DATE $HOST $MSGHDR$MSG\n");
>>
>> template_escape(no);
>>
>> };
>>
>>
>>
>> destination d_syslog
>>
>> {udp("server-001" port(514) spoof_source(yes) template(t_asm));
>>
>> };
>>
>>
>>
>> Regards
>>
>> ~ Kaleem
>>
>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180307/14c1e4c8/attachment-0001.html>
More information about the syslog-ng
mailing list