Using filters as selector
To better control to which log messages you add contextual data, you can use filters as selectors. In this case, the first column of the CSV database file must contain the name of a filter. For each message, AxoSyslog evaluates the filters in the order they appear in the database file. If a filter matches the message, AxoSyslog adds the name-value pair related to the filter.
For example, the database file can contain the entries. (For details on the accepted CSV-format, see database().)
f_auth,domain,all
f_localhost,source,localhost
f_kern,domain,kernel
Note that AxoSyslog does not evaluate other filters after the first match. For example, if you use the previous database file, and a message matches both the f_auth
and f_localhost
filters, AxoSyslog adds only the name-value pair of f_auth
to the message.
To add multiple name-value pairs to a message, include a separate line in the database for each name-value pair, for example:
f_localhost,host-role,firewall
f_localhost,contact-person,"John Doe"
f_localhost,contact-email,[email protected]
You can also add data to messages that do not have a matching selector entry in the database using the default-selector()
option.
You must store the filters you reference in a database in a separate file. This file is similar to a AxoSyslog configuration file, but must contain only a version string and filters (and optionally comments). You can use the `syslog-ng –syntax-only
@version: 4.9.0
filter f_localhost { host("mymachine.example.com") };
filter f_auth { facility(4) };
filter f_kern { facility(0) };
Declaration:
parser p_add_context_data_filter {
add-contextual-data(
selector(filters("filters.conf")),
database("context-info-db.csv"),
prefix(".metadata.")
);
};
If you modify the database file, or the file that contains the filters, you have to reload AxoSyslog for the changes to take effect. If reloading AxoSyslog or the files fails for some reason, AxoSyslog will keep using the last working version of the file.