Re: [rsyslog] mmnormalize with mutiple input: conditionals?

[mosto...@gmail.com]

El 01/12/16 a las 18:37, Rainer Gerhards escribió:
2016-12-01 18:33 GMT+01:00 mosto...@gmail.com <mosto...@gmail.com>:
Hi
Is there any way to dynamically invoke a ruleset? eg: call $var
(I'm trying to avoid having +200 if statements...
not yet, but 90% sure evrything is in place to make implementation easy.

Can you elaborate on the use case?

relay syslog forwarding multiple files to central location
central syslog must mmnormalize depending on syslogtag before indexing 
into elastic
other tasks like geoip must be done whenever a message has a ip field 
(for example)

current approach is as follows:

 * core.conf contains input and ruleset for indexing
 * appX.conf files are copied to /etc/rsyslogd.d/, to be loaded at start
 * each app has a .conf file to define both, additional transformations
   + mmnormalize rules (https://github.com/rsyslog/rsyslog/issues/625)
 * when a message is received, it must be processed by 1-N apps, which
   would be great if done dynamically, but I don't think that's possible.


core.conf

   ruleset("name="elastic") {
        action(type="omelasticsearch"
            #once this message has been processed by all modules, index
        )
   }

app1.conf

   if $!app equals "app1" then {
        #normalize (davidlang says it's better to have 1 normalizer on
   core.conf. I need to think about it)
        #add some custom fields
        #set $!index="myindexname-YYYY-MM-DD"
        call geoip
        stop
   }

app2.conf

   if $!app equals "app2" then {
        #normalize using inline rulebase
        #set $!index="otherindexname";
        stop
   }

app200.conf

   if $!app equals "app20" then {
        #whatever
   }

geoip.conf

   ruleset(name="geoip") {
        #geo tag this message
   }

unk.conf

   if message_has_not_been_proccessed then {
   #set $!index="unknown";
   }

I hope I explained myself properly...
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.