syslog-ng return original value when mapping does not exists

Question

i'm using syslog-ng for collecting json messages and send alarms to slack

there is parameter in json message which contains IP address of router from which I'm receiving the json message and I want to convert IP address to router hostname

i'm using two parsers 1) parse json 2) replace IP address with router hostname:

parser p_json {
    json-parser(prefix(".json."));
};

parser p_acd_router {
    add-contextual-data(selector("${.json.router_ip}"), database("host_map.csv"), prefix(".meta_router."));
};

until now everything works fine. Hi, I'm having the problem when I receive log message from router and I don't have IP_to_Hostname mapping for it in csv file. in this case i just get blank space in syslog message. there is option to return default value if mapping does not exist, but i would prefer to return original value (IP address)

if mapping exists convert IP address to hostname >> works if mapping does not exist, return original IP address >> don't know how to set it up

is this even supported?
thanks

score 1 · Accepted Answer · answered Dec 09 '21 at 23:04

You can set the default-selector("UNKNOWN") option for add-contextual-data(), and add a record to your CSV file with the ID UNKNOWN, and use the following value when setting .meta_router.hostname: ${.json.router_ip}.

TLDR: templates are supported inside the CSV file as well.

Note: In case your IPs are reverse-resolvable, you can just use the $(dns-resolve-ip) template function instead of maintaining a complete CSV database:

https://github.com/syslog-ng/syslog-ng/pull/3046

perfect, thanks! (IPs are not resolvable in this case so 1st solution was needed) — patooo, Dec 09 '21 at 23:16

syslog-ng return original value when mapping does not exists

1 Answers1