[syslog-ng] Setting and using variables
Péter, Kókai
peter.kokai at oneidentity.com
Mon Mar 25 13:54:05 UTC 2019
Hello,
In short: only messages can have *variables*.
Approach #1
Let's imagine that for example a *logpath* can have variable. Create the
following construct:
log {
var("location", "space");
var("app", "sputnik-1");
};
Also do it in a way that those variables scope and lifetime are limited to
the that *logpath*. (Which is just an arbitrary choose, but also somehow
makes sense at first glance.)
Your configuration would be as follows:
log {
source(s_local);
if (message('a')) {
var("app", "foo");
var("location" "bar");
}
elif (message('b')) {
var("app", "foob");
var("location" "barb");
}
else {
var("app", "default");
var("location" "default");
};
destination {
file("/dev/stdout" template("$app $location\n"));
};
};
The *if-else* actually just a *logpath* in the background - can be
rewritten so it became a *log*, so our scope would still apply.
When the message reaches the *destination* it cannot see the *variable* as
neither its lifetime and scope allows it.
This approach won't solve this issue.
Approach #2
The same as above but let's patch the lifetime/scope issue. Let's increase
both of them to be available from parent (global can be done, but won't
change much).
log {
log {
var("location", "space");
var("app", "sputnik-1");
};
#location works here
};
#but not here
In this case the variable collide with each other, there is no useful merge
strategy (imho).
>From this it seems that even if *logpath* could have variable support, it
would not solve your issue. At least I do not see a proper way to do it on
paper.
Also I think from the above it feels like it is actually a property of the
message nor the pipeline it traverse.
If you have an idea that solves the above issue I would be happy to hear it.
--
Kokan
On Mon, Mar 25, 2019 at 2:07 PM Faine, Mark R. (MSFC-IS40)[NICS] <
mark.faine at nasa.gov> wrote:
> Thank you both, this is very helpful. I can use this. Is it only
> possible to set variables by adding to the message? Can variables exist
> outside of the message?
>
>
>
> -Mark
>
>
>
>
>
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> *On Behalf Of *Péter,
> Kókai
> *Sent:* Saturday, March 23, 2019 4:34 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Setting and using variables
>
>
>
> Hello,
>
>
>
> You could use *rewrite* rule to add nv-pair to each message:
>
>
>
> log {
>
> source(s_local);
>
>
>
> if (message('a')) {
>
> rewrite {
>
> set("foo" value("app"));
>
> set("bar" value("location"));
>
> };
>
> }
>
> elif (message('b')) {
>
> rewrite {
>
> set("foob" value("app"));
>
> set("barb" value("location"));
>
> };
>
> }
>
> else {
>
> rewrite {
>
> set("default" value("app"));
>
> set("default" value("location"));
>
> };
>
> };
>
>
>
>
>
> destination {
>
> file("/dev/stdout" template("$app $location\n"));
>
> };
>
> };
>
>
>
> Something like this.
>
>
>
> --
>
> Kokan
>
>
>
>
>
> On Fri, Mar 22, 2019 at 2:37 PM Faine, Mark R. (MSFC-IS40)[NICS] <
> mark.faine at nasa.gov> wrote:
>
> Is there a way to set variables in syslog-ng?
>
> I have a log path with about 20 if/else branches and each one does a
> unnamed destination for that branch:
>
> log {
> source(pan_splunk);
> if ( tags('mytag') ) {
> destination {
> file("/var/log/remote/backup/$HOST/asa/${HOST}_asa.log"
> create-dirs(yes) dir-owner("splunk") dir-group("splunk")
> dir-perm(0750));
> };
> } elif ( message('something else') ) {
> destination {
> file("/var/log/remote/backup/$HOST/pubfw/${HOST}_pubfw.log"
> create-dirs(yes) dir-owner("splunk") dir-group("splunk")
> dir-perm(0750));
> };
> } elif {
> filter { message('foo') or
> message('bar') or
> message('baz') or
> ...
>
> I'd need to introduce another directory level as a variable and I'd also
> like to change an existing part of the path to a variable so that then I
> could then do something like this:
>
> if ( tags('mytag') ) {
> app = asa
> location = msfc
> elif
> ...
>
> and at the end I could then just do a single destination that had a file
> path with the variables
> file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log"
>
> Thanks,
> -Mark
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=YY8TzLxmhOq_o7pu7ONHbV6I7OVpIy1P7TQUfp_hm8M&e=>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=DrlT7sUf5X_xKiPK3ca7WDhiw-xr4D7mtnSfL2yXiAQ&e=>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=0oCgkJqh7N_Ja-VdtmDlAS5pzhA0puqJm8zcAaXJyjY&s=LvSPfbLLubjWgsCznHSgC7oIi6YzCi5LjVylqe_y5f8&e=>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190325/42bea108/attachment-0001.html>
More information about the syslog-ng
mailing list