2016-12-01 18:33 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
> Hi
>
> Is there any way to dynamically invoke a ruleset? eg: call $var
> (I'm trying to avoid having +200 if statements...

not yet, but 90% sure evrything is in place to make implementation easy.

Can you elaborate on the use case?

Rainer
>
>
>
>
> El 25/11/16 a las 14:13, David Lang escribió:
>
>> On Fri, 25 Nov 2016, mosto...@gmail.com wrote:
>>
>>>> I may be confused about which part is on the sender and which part is on
>>>> the receiver.
>>>
>>> sender: a bunch of imfiles forwarded using RELP
>>>
>>> receiver: receives a JSON with msg=plain/original message, normalize and
>>> extract fields (that should be added to JSON)
>>> each "application" should define his own rules, and sometimes even
>>> transform the JSON after that (seem's that the hard part)
>>>
>>>>
>>>>>>
>>>>>>>   *# Is addMetadata="on" needed in order to use $!metadata!filename?*
>>>>>>
>>>>>>
>>>> the easiest thing is to try it :-)
>>>
>>> I'm going to create an issue for double checking...can't handle this
>>> while editing documentation!
>>>
>>>> adding fields you may be able to do with the ammend= capabilities in the
>>>> ruleset
>>>>
>>>> if you don't want a field to be reported, give it the name '-' in the
>>>> ruleset.
>>>>
>>>> unfortunantly, you can't rename fields or copy fields in the ruleset.
>>>
>>> So: each application having one .conf file copied to rsyslog.d/ with the
>>> required steps it's the only way? Perhaps something like:
>>> *app1.conf*
>>>
>>>   if $!group == "group" and $!app == "app1" then {
>>>        # and here's an example on when to use inline rules
>>>        #     https://github.com/rsyslog/rsyslog/issues/625
>>>        # an inline rule here will make it possible to have
>>>        #     just 1 config file per app, instead of 2
>>>        action(type="mmnormalize" rulebase=:/rule-for-app1.fb")
>>>        if $parsesuccess then {
>>>            # do additional steps, transforms and whatever you want
>>>            # call foo
>>>        }
>>>        call index
>>>        stop
>>>   }
>>
>>
>> it's better to have a single ruleset that does the parsing once, and then
>> calls a 'perapp' ruleset that is something like
>>
>> ruleset(name="perapp"){
>>   include /etc/rsyslog.d/apps/*
>> }
>>
>> and in /etc/rsyslog.d/apps/ you have per app files that have the per-app
>> if statement and any manipulation needed
>>
>> David Lang
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to