I have two sources and one destination. I want the template used in the destination to change depending on which source I receive the log event from.
I have been able to create SDATA fields with rewrite rules, but I am unable to find a solution to change template based on event content or source.
I will end up with many templates and many sources and my destination has multiple workers. I do not want to use multiple destinations because that will require me to balance number of workers based on workloads from different sources and this will vary over time.
source s_syslog {
network( port(10514));
};
source s_firewall {
network( port(10515));
};
template t_template1 {
template("something something");
};
template t_template2 {
template("something else");
};
destination d_http {
http(
url("http://127.0.0.1:40000/logservice")
# if syslog
body(template(t_template1))
body(template(t_template2))
);
};
log {
source(s_syslog);
destination(d_http);
};
Log template used in the destination varies depending on the log source or event content.
Edit:
I might have come closer to a solution. I have not been able to figure out how to check source as the condition or if that is possible. The test also always seams to evaluate as True, no matter what which I find very strange.
template-function t_default "$(if (\"${username}\" == \"root\")
\"TEMPLATE 1\"
\"TEMPLATE 2\"
)";
destination d_http {
http(
url("http://127.0.0.1:40000/logservice")
body("$(t_default)")
);
};
