2016-12-01 18:56 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>: > El 01/12/16 a las 18:37, Rainer Gerhards escribió: >> >> 2016-12-01 18:33 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>: >>> >>> Hi >>> >>> Is there any way to dynamically invoke a ruleset? eg: call $var >>> (I'm trying to avoid having +200 if statements... >> >> not yet, but 90% sure evrything is in place to make implementation easy. >> >> Can you elaborate on the use case? > > > relay syslog forwarding multiple files to central location > central syslog must mmnormalize depending on syslogtag before indexing into > elastic > other tasks like geoip must be done whenever a message has a ip field (for > example) > > current approach is as follows: > > * core.conf contains input and ruleset for indexing > * appX.conf files are copied to /etc/rsyslogd.d/, to be loaded at start > * each app has a .conf file to define both, additional transformations > + mmnormalize rules (https://github.com/rsyslog/rsyslog/issues/625) > * when a message is received, it must be processed by 1-N apps, which > would be great if done dynamically, but I don't think that's possible. > > > core.conf > > ruleset("name="elastic") { > action(type="omelasticsearch" > #once this message has been processed by all modules, index > ) > } > > app1.conf > > if $!app equals "app1" then { > #normalize (davidlang says it's better to have 1 normalizer on > core.conf. I need to think about it) > #add some custom fields > #set $!index="myindexname-YYYY-MM-DD" > call geoip > stop > } > > app2.conf > > if $!app equals "app2" then { > #normalize using inline rulebase > #set $!index="otherindexname"; > stop > } > > app200.conf > > if $!app equals "app20" then { > #whatever > } > > geoip.conf > > ruleset(name="geoip") { > #geo tag this message > } > > unk.conf > > if message_has_not_been_proccessed then { > #set $!index="unknown"; > } > > I hope I explained myself properly...
where would you use "call $var" if it were available? Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.