Prepend conditional text on output

Despite I have read docs and examples, I still cannot figure out how I can prepend a text depending on a filter. I want to prepend my personal severity and app to the log message  (${LEVEL} and ${PROGRAM} are not suitable for me).

I have highlighted in bold and red the configuration lines that aren't right but just to show what I mean. Please, any advice on how to accomplish this would be appreciated. Thanks in advance.

source s_syslog {
    file("/var/log/syslog" follow-freq(1));
    };

filter f_dhcp_alert {
    message("Stopped ISC DHCP");
    set ("MyVariable", value("DHCP-ALERT"));
    };

filter f_dhcp_warning {
    message("lease.*unavailable");
    set ("MyVariable", value("DHCP-ALERT"));
    };

destination d_dest_alert {
   program("/usr/sbin/pba.sh" template("${MyVariable} ${DATE} ${HOST} ${MESSAGE}\n") );
   };

log {
    source(s_test);
    filter(f_dhcp_alert) or filter(f_dhcp_warning);
    destination(d_dest_alert);
    };

Parents
  • If I understand correctly you want to generate 'MyVariable' based on the content of the message.
    Then add the content of MyVariable to the message.

    To do that you have to create a conditional rewrite rule.
    support.oneidentity.com/.../67

    Filters are used for routing messages.

    You have to create a filter like this. Regular expression can be used.

    rewrite r_rewrite_set{
    set("DHCP-ALERT", value("MYVARIABLE")
    condition(
    match("(Stopped ISC DHCP|lease.*unavailable)" value("MESSAGE"))
    )
    );
    };

    log {
    source(s_test);
    rewrite(r_rewrite_set);
    destination(d_dest_alert);
    };

Reply
  • If I understand correctly you want to generate 'MyVariable' based on the content of the message.
    Then add the content of MyVariable to the message.

    To do that you have to create a conditional rewrite rule.
    support.oneidentity.com/.../67

    Filters are used for routing messages.

    You have to create a filter like this. Regular expression can be used.

    rewrite r_rewrite_set{
    set("DHCP-ALERT", value("MYVARIABLE")
    condition(
    match("(Stopped ISC DHCP|lease.*unavailable)" value("MESSAGE"))
    )
    );
    };

    log {
    source(s_test);
    rewrite(r_rewrite_set);
    destination(d_dest_alert);
    };

Children