2016-12-01 19:08 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
>
> El 01/12/16 a las 19:04, Rainer Gerhards escribió:
>
>> 2016-12-01 18:56 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
>>>
>>> El 01/12/16 a las 18:37, Rainer Gerhards escribió:
>>>>
>>>> 2016-12-01 18:33 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
>>>>>
>>>>> Hi
>>>>>
>>>>> Is there any way to dynamically invoke a ruleset? eg: call $var
>>>>> (I'm trying to avoid having +200 if statements...
>>>>
>>>> not yet, but 90% sure evrything is in place to make implementation easy.
>>>>
>>>> Can you elaborate on the use case?
>>>
>>>
>>> relay syslog forwarding multiple files to central location
>>> central syslog must mmnormalize depending on syslogtag before indexing
>>> into
>>> elastic
>>> other tasks like geoip must be done whenever a message has a ip field
>>> (for
>>> example)
>>>
>>> current approach is as follows:
>>>
>>>   * core.conf contains input and ruleset for indexing
>>>   * appX.conf files are copied to /etc/rsyslogd.d/, to be loaded at start
>>>   * each app has a .conf file to define both, additional transformations
>>>     + mmnormalize rules (https://github.com/rsyslog/rsyslog/issues/625)
>>>   * when a message is received, it must be processed by 1-N apps, which
>>>     would be great if done dynamically, but I don't think that's
>>> possible.
>>>
>>>
>>> core.conf
>>>
>>>     ruleset("name="elastic") {
>>>          action(type="omelasticsearch"
>>>              #once this message has been processed by all modules, index
>>>          )
>>>     }
>>>
>>> app1.conf
>>>
>>>     if $!app equals "app1" then {
>>>          #normalize (davidlang says it's better to have 1 normalizer on
>>>     core.conf. I need to think about it)
>>>          #add some custom fields
>>>          #set $!index="myindexname-YYYY-MM-DD"
>>>          call geoip
>>>          stop
>>>     }
>>>
>>> app2.conf
>>>
>>>     if $!app equals "app2" then {
>>>          #normalize using inline rulebase
>>>          #set $!index="otherindexname";
>>>          stop
>>>     }
>>>
>>> app200.conf
>>>
>>>     if $!app equals "app20" then {
>>>          #whatever
>>>     }
>>>
>>> geoip.conf
>>>
>>>     ruleset(name="geoip") {
>>>          #geo tag this message
>>>     }
>>>
>>> unk.conf
>>>
>>>     if message_has_not_been_proccessed then {
>>>     #set $!index="unknown";
>>>     }
>>>
>>> I hope I explained myself properly...
>>
>> where would you use "call $var" if it were available?
>
>
> core.conf
>
> ruleset("name="elastic") {
>         action(type="omelasticsearch"
>             #index
>         )
>    }
>    call %syslogtag%  #Really, this is actually stored at $!app, but I think
> you got the idea...(eg: appX)

yup, thx. IMHO makes sense. Let's wait what David says, but I think it
would make sense to open an issue refering to this thread. ... I know,
I also must find time to actually work on some of them... ;-)

Rainer
>
> appX.conf
>
> ruleset(name="appX") {
> #whatever
> #set $!index="myindexname-YYYY-MM-DD"
>    }
>
> This way, core and app configurations will be -IMHO- much simpler.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to