[syslog-ng] using VARARGS correctly

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Wed May 19 06:39:56 UTC 2021 

Hi Mark,

VARARGS is used to pass unknown amount of options to the underlying driver through the block.

For example:
block destination ewmm(ip('127.0.0.1') transport(tcp) port(514) ...) {
        network("`ip`" transport(`transport`) port(`port`)
                template("$(format-ewmm)")
                frac-digits(3)
                `__VARARGS__`
        );
};

"..." and "__VARARGS​​__" must be used together.
In the example above, any option given to the ewmm destination other than ip(), transport() and port(), is passed to the underlying network() destination.

For your use case, I think a single option would suffice:
block destination default_file(
  basepath('/var/log/remote/backup')
  location("")
  app("")
  name("")
  file_path_args("")) {

  file(
    "`basepath`/`location`/`app`/${HOST}/${HOST}_`app``file_path_args`.log"
    persist-name(`name`)
    create_dirs(yes)
    flags("threaded", "no-multi-line")
  );
};

destination d_default {
  default_file(
    basepath(`BASEPATH`)
    location("$location")
    app("$app")
    name('d_default_udp')
    file_path_args("${session}${some_other_arg}")
  );
};

With the file_path_args() option you can set any number of optionally available macros in the order you like. If a macro is not available, it will resolve to empty string.

Does this take care of your needs?

Cheers,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine at nasa.gov>
Sent: Tuesday, May 18, 2021 8:00 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] using VARARGS correctly

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Syslog-ng 3.19

block destination d_default(basepath('/var/log/remote/backup') location("") app("") name("")) {
    file("`basepath`/`location`/`app`/${HOST}/${HOST}_`app``__VARARGS__`.log"
    persist-name(`name`) create_dirs(yes)
    flags("threaded", "no-multi-line"));
};

However, when I call it like so:

d_default(basepath(`BASEPATH`) location("$location") app("$app") name('d_default_udp') "$session");

I get a syntax error when checking with --syntax-only

Error parsing block reference, syntax error, unexpected LL_STRING, expecting ')' in /etc/syslog-ng/conf.d/splunk.conf:
23                  categorize_loc();
24                  categorize_app();
25              };
26          };
27          destination {
28---->       d_default(basepath(`BASEPATH`) location("$location") app("$app") name('d_default_udp') "$session");
28---->                                                                                    ^^^^^^^^^^


From looking at the documentation, it looks like it's a valid way to use it.  $session here is just a number from 0-9 that is set from rewriting a user defined macro from the message's sessionid field.  It's only going to exist for a certain kind of message.

Thanks,
-Mark
______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sPCS%2BJNfaqQRl0lODAcJx9vKtYk9W2nCvLhh73%2BS3Rg%3D&reserved=0
Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZntsaJqT%2Bh5EaUoQf8gb%2BF%2BdXy6LUIgkuLQzxKANitY%3D&reserved=0
FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CAttila.Szakacs%40oneidentity.com%7Cd76c6bdac4c64ec8a0fd08d91a26d9ae%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637569576443135501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EvHK7TAM%2B8QsfR8pZBCYNiJ%2BolHT7b2wo3UMwPoorGM%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210519/113879ef/attachment-0001.html>

More information about the syslog-ng mailing list