[syslog-ng] Convert if/else to nested log paths

Faine, Mark R. (MSFC-IS40)[NICS] mark.faine at nasa.gov
Wed Mar 27 13:23:11 UTC 2019 

Thank you, I did not realize that either.  I know if/else is certainly less confusing and more intuitive.  I will take a look at the gist.  I’m still interested in how it would work.

I had already decided to stick with if/else because the sysadmins who will have to maintain this don’t spend a lot of time in syslog-ng, I’m probably now the syslog-ng expert for my team, and I hardly know how to use it compared to I'm sure most of you.  Most of our systems have rsyslog on them and even then we mostly  use the stock configuration unless someone needs something special, which is rare.  However, we have a bunch of splunk log aggregators and the admins for splunk are requesting syslog-ng specifically and are wanting to do some very custom filtering into folders so that they more easily index it on their end.  I don’t think their requests exactly align with splunk best practices but it isn’t my call.  Other than myself, the next time someone touches these configuration files they will likely have little knowledge of syslog-ng, so I have to make it as easy as possible to understand.

-Mark

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Péter, Kókai
Sent: Wednesday, March 27, 2019 3:03 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Convert if/else to nested log paths

Hello,

I want to emphasise that the *if* is a superior solution.

Here is a gist just for your academic exercise: https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_Kokan_6f1cec10d1053e9b67123c22342947de&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=0yS2zVvJY872Cz5BOgR-RuWOaNv6w9qFRTq2e4DXg7c&e=

--
Kokan

On Tue, Mar 26, 2019 at 8:45 PM Faine, Mark R. (MSFC-IS40)[NICS] <mailto:mark.faine at nasa.gov> wrote:
What is the conversion of an if/else to embedded log path statements?

I tried to do this today and didn't have any luck so I reverted back to if/else.

I have a log statement with a series of if/else blocks:

log {
  source(pan_splunk);
  if { 
    filter { host("^[a-z]+\.foo.*$")    or
      netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.100_32&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=4JD3PrSTe0-9Vz8BIpdk2_GNPED3zLG-gWVnRbYVQV4&e=')   or
      netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.101_32-27&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=kfjLMDgnG79xkPOqDVYIQv52441T6y_NgnJj73HGu0Q&e=);
    };
    rewrite {
      set("foo" value("location"));
    };
  } elif { 
    filter { host("^[a-z]+\.bar.*$")    or
      netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.102_32&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=gk8eFFEPX-BO71_lz74DIUpM2hTxRw1A3Fcl4x9SnV8&e=')   or
      netmask('https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.103_32-27&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=HP1KrVdJGpTmQQC2PEYlO9c1NE-3soyqAOkxQufcq_0&e=); 
   };
  } else {
    rewrite {
      set("unknown" value("location"));
   };
}

Can this be written with embedded log statements?   The if/else blocks are working for me so this is just an academic exercise but I'd really like to understand how to do it with embedded log paths.

Thanks,
-Mark

______________________________________________________________________________
Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=AcwfGKcnzVB3B0GlYQxwfeelxnRhdpmd2vwff86-N4o&e=
Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=dwU1qghbXY8r3pX6zAcQVuf5D_efuln2iwkyInevhCs&e=
FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=gjX0Vqp-ZXu4fdAIsQOuHhF-u3sQUnHRLtt6maa7I7U&s=bSJCu1_SfLugOdDJG8yw0GqglD9PnpRz44-iGGaSoNg&e=

More information about the syslog-ng mailing list