[syslog-ng] Rewrite syslog priority

Kaleemulla Sharief (kasharie) kasharie at cisco.com
Thu Mar 8 06:01:41 UTC 2018 

Thanks Gabor that worked for me :) Yes the non_rewrite filter was not putting the priority in the log and the second correction fixed it. So we need to use the rewrite in all the log definitions and default will be to retain priority, condition match would change it. Great !!

Thanks Again :)

Regards,
Kaleem

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Nagy, Gábor
Sent: Wednesday, March 7, 2018 9:35 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Rewrite syslog priority

Hi!

Sorry, but the above config has a problem:
if the rewrite rule is not appled then the original PRIORITY is not going to be in the log message.
(I should'nt had test it with file destination :))
You have to save it first:

rewrite r_rew {
+  set("<${PRI}>" value(MY_PRI) );
  set("<185>" value(MY_PRI) condition(filter(f_matches);) );

Regards,
Gabor

On Wed, Mar 7, 2018 at 4:31 PM, Nagy, Gábor <gabor.nagy at balabit.com<mailto:gabor.nagy at balabit.com>> wrote:
Hello Kaleem!

I'm afraid modifying the PRIORITY field of the log message is still not supported as it is a hard-macro in syslog-ng and thus it is *read-only*:
https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/macros-hard-vs-soft.html

Basically, you would like to control the feature on config block level (e.g. in a rewrite rule or in a filter, etc.) which can be freely included in any log path.

As a solution, you can use the same conditional rewrite rule, set a new name-value pair with the desired priority and use the template always in the destination.
There is no problem if you don't use the rewrite rule in a log path while the destination is trying to expand the `MY_PRI` field as it would simply evaluate to an empty string.

Config example:
rewrite r_set_priority {
  set("<185> " value(MY_PRI) condition(filter(f_syslogd1);) );
};
destination d_stdout {
  file("/dev/stdout"
    template("${MY_PRI}${ISODATE} ${HOST} ${MSGHDR}${MSG}\n")
  );
};
log {
  ....
  rewrite(r_set_priority);
  destination(d_stdout);
};


I was thinking about other ways, junctions or multiple log paths with the same destinations(except one destination would have the template),
but those would increase the config complexity or just ugly.


Gabor

On Wed, Mar 7, 2018 at 12:48 PM, Kaleemulla Sharief (kasharie) <kasharie at cisco.com<mailto:kasharie at cisco.com>> wrote:
Hi,

Is there support to change the syslog *priority* using rewrite? While I read it was not supported earlier but was planned for syslog-ng 3.2 (apologies if this is a wrong source), can someone help me with an example if it was added in any of the releases later ? Below did not work for me with syslog-ng 3.5.6 to change debug syslog to alert.

filter f_syslogd1 { match("%OS-PCE-7-CSPF_FALLBACK") and priority(debug); };

rewrite r_rewrite_set{set("1", value("PRIORITY") condition(filter(f_syslogd1)));};   #Neither 1 without quotes

log { source(s_syslog_514); rewrite (r_rewrite_set); destination(d_syslog); };

I am able to achieve this using the template hack something like below (changing to local7.alert=185) but the problem is while I can use the template inside destination definition, rewrite can be used under log section so that I can re-use same destination with different filters with or without rewrite, below will get applied to all syslogs to destination d_syslog which is not my requirement. How can I combine filters with template on same destination if rewrite is not supported. Appreciate any suggestions.
template t_asm {
   template("<185> $DATE $HOST $MSGHDR$MSG\n");
   template_escape(no);
};

destination d_syslog
         {udp("server-001" port(514) spoof_source(yes) template(t_asm));
};

Regards
~ Kaleem


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180308/cc684b35/attachment.html>

More information about the syslog-ng mailing list