El 01/12/16 a las 19:04, Rainer Gerhards escribió:
2016-12-01 18:56 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
El 01/12/16 a las 18:37, Rainer Gerhards escribió:
2016-12-01 18:33 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
Hi

Is there any way to dynamically invoke a ruleset? eg: call $var
(I'm trying to avoid having +200 if statements...
not yet, but 90% sure evrything is in place to make implementation easy.

Can you elaborate on the use case?

relay syslog forwarding multiple files to central location
central syslog must mmnormalize depending on syslogtag before indexing into
elastic
other tasks like geoip must be done whenever a message has a ip field (for
example)

current approach is as follows:

  * core.conf contains input and ruleset for indexing
  * appX.conf files are copied to /etc/rsyslogd.d/, to be loaded at start
  * each app has a .conf file to define both, additional transformations
    + mmnormalize rules (https://github.com/rsyslog/rsyslog/issues/625)
  * when a message is received, it must be processed by 1-N apps, which
    would be great if done dynamically, but I don't think that's possible.


core.conf

    ruleset("name="elastic") {
         action(type="omelasticsearch"
             #once this message has been processed by all modules, index
         )
    }

app1.conf

    if $!app equals "app1" then {
         #normalize (davidlang says it's better to have 1 normalizer on
    core.conf. I need to think about it)
         #add some custom fields
         #set $!index="myindexname-YYYY-MM-DD"
         call geoip
         stop
    }

app2.conf

    if $!app equals "app2" then {
         #normalize using inline rulebase
         #set $!index="otherindexname";
         stop
    }

app200.conf

    if $!app equals "app20" then {
         #whatever
    }

geoip.conf

    ruleset(name="geoip") {
         #geo tag this message
    }

unk.conf

    if message_has_not_been_proccessed then {
    #set $!index="unknown";
    }

I hope I explained myself properly...
where would you use "call $var" if it were available?

core.conf

ruleset("name="elastic") {
        action(type="omelasticsearch"
            #index
        )
   }
call %syslogtag% #Really, this is actually stored at $!app, but I think you got the idea...(eg: appX)

appX.conf

ruleset(name="appX") {
#whatever
#set $!index="myindexname-YYYY-MM-DD"
   }

This way, core and app configurations will be -IMHO- much simpler.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to