[syslog-ng] [EXTERNAL] Re: Value is dropped or unset in resolved destination template

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Fri Mar 25 13:47:53 UTC 2022 

This should work:
log {
  source(s_network);
  filter { filter(f_1) or filter(f_2) };
  destination(d_syslog);
};

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine at nasa.gov>
Sent: Wednesday, March 23, 2022 22:36
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] [EXTERNAL] Re: Value is dropped or unset in resolved destination template

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Can I OR filters when they are in the form filter(filter_name); such as



filter(f_foo); or filter(f_bar);



or does it have to be the long form:



filter { message='foo' or message='bar' }



The problem I'm having is that my filters are very large and I need to compare four of them for each message on the log path and so I don't want to write them inline inside of the log path.



Thanks,

-Mark





From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Nagy Gábor
Sent: Wednesday, March 23, 2022 10:03
To: wernli at in2p3.fr; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [EXTERNAL] Re: [syslog-ng] Value is dropped or unset in resolved destination template



Hi Mark,

Fabien is right, you should have a default value.
You are using the rewrite rules that set $location inside an if statement.
Maybe what happens is that in some cases a log doesn't match which leads to an unset $location.

Don't you have directories with $location's value too?

So you have both:
("`BASEPATH`//$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"

("`BASEPATH`/$location/$(lowercase ${HOST})/$app/$(lowercase ${HOST})_$app.log"



Or $location is always empty on the destination side?



Gabor





Fabien Wernli <wernli at in2p3.fr<mailto:wernli at in2p3.fr>> ezt írta (időpont: 2022. márc. 23., Sze, 15:04):

Hi Mark,

It's really hard to tell what's happening without seeing your full
configuration. Remember messages can go through multiple logpaths, some of
which the variables are probably empty in.

That being said, if I were you I'd use a default value for your macros in any
case, much safer e.g.:

    destination d_default {
            file("`BASEPATH`/${location:-hidden}/$(lowercase ${HOST})/${app:-unknown}/$(lowercase ${HOST})_${app:-unknown}.log"
            create_dirs(yes)
            flags("threaded", "no-multi-line"));
    };

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=n5y0f6MjhGi%2FM1La56oY%2FoRyOcAqb5eM3TQg0Vs3ly4%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=t8voTU8qjP0RrdGPOQqDOjLkMAtxfkhcv%2BY6AYBN0hI%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C33b3db51f5524029fb2808da0d15243b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836681707286925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=crU0bjlG3N%2Fsy2pJ0buOVz8LkTTsaaQ4HXUbIdqxIrc%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220325/9077c8c6/attachment-0001.htm>

More information about the syslog-ng mailing list