The groupset() rewrite rule allows you to modify the value of multiple message fields at once, for example, to change the value of sensitive fields extracted using patterndb, or received in a JSON format.
-
The first parameter is the new value of the modified fields. This can be a simple string, a macro, or a template (which can include template functions as well).
-
The second parameter (values()) specifies the fields to modify. You can explicitly list the macros or fields (a space-separated list with the values enclosed in double-quotes), or use wildcards and glob expressions to select multiple fields.
-
Note that groupset() does not create new fields, it only modifies existing fields.
-
You can refer to the old value of the field using the $_ macro. This is resolved to the value of the current field, and is available only in groupset() rules.
Declaration
rewrite <name_of_the_rule> {
groupset("<new-value-of-the-fields>", values("<field-name-or-glob>" ["<another-field-name-or-glob>"]));
};
Example: Using groupset rewrite rules
The following examples show how to change the values of multiple fields at the same time.
-
Change the value of the HOST field to myhost.
groupset ("myhost" values("HOST"))
-
Change the value of the HOST and FULLHOST fields to myhost.
groupset ("myhost" values("HOST" "FULLHOST"))
-
Change the value of the HOST FULLHOST and fields to lowercase.
groupset ("$(lowercase "$_")" values("HOST" "FULLHOST"))
-
Change the value of each field and macro that begins with .USER to nobody.
groupset ("nobody" values(".USER.*"))
-
Change the value of each field and macro that begins with .USER to its SHA-1 hash (truncated to 6 characters).
groupset ("$(sha1 --length 6 $_)" values(".USER.*"))
Starting with 4 F1, it is possible to apply a rewrite rule to a message only if certain conditions are met. The condition() option effectively embeds a filter expression into the rewrite rule: the message is modified only if the message passes the filter. If the condition is not met, the message is passed to the next element of the log path (that is, the element following the rewrite rule in the log statement, for example, the destination). Any filter expression normally used in filters can be used as a rewrite condition. Existing filter statements can be referenced using the filter() function within the condition. For details on filters, see Filters.
TIP: Using conditions in rewrite rules can simplify your syslog-ng PE configuration file, as you do not need to create separate log paths to modify certain messages.
The following procedure summarizes how conditional rewrite rules (rewrite rules that have the condition() parameter set) work. The following configuration snippet is used to illustrate the procedure:
rewrite r_rewrite_set{set("myhost", value("HOST") condition(program("myapplication")));};
log {
source(s1);
rewrite(r_rewrite_set);
destination(d1);};
-
The log path receives a message from the source (s1).
-
The rewrite rule (r_rewrite_set) evaluates the condition. If the message matches the condition (the PROGRAM field of the message is "myapplication"), syslog-ng PE rewrites the log message (sets the value of the HOST field to "myhost"), otherwise it is not modified.
-
The next element of the log path processes the message (d1).
Example: Using conditional rewriting
The following example sets the HOST field of the message to myhost only if the message was sent by the myapplication program.
rewrite r_rewrite_set{set("myhost", value("HOST") condition(program("myapplication")));};
The following example is identical to the previous one, except that the condition references an existing filter template.
filter f_rewritefilter {program("myapplication");};
rewrite r_rewrite_set{set("myhost", value("HOST") condition(filter(f_rewritefilter)));};
Log messages of banking and e-commerce applications might include credit card numbers (Primary Account Number or PAN). According to privacy best practices and the requirements of the Payment Card Industry Data Security Standards (PCI-DSS), PAN must be rendered unreadable. The syslog-ng PE application uses a regular expression to detect credit card numbers, and provides two ways to accomplish this: you can either mask the credit card numbers, or replace them with a hash. To mask the credit card numbers, use the credit-card-mask() or the credit-card-hash() rewrite rules in a log path.
Usage
@include "scl/rewrite/cc-mask.conf"
rewrite { credit-card-mask(value("<message-field-to-process>")); };
By default, these rewrite rules process the MESSAGE part of the log message.
credit-card-hash()
Synopsis: |
credit-card-hash(value("<message-field-to-process>")) |
Description: Process the specified message field (by default, ${MESSAGE}), and replace any credit card numbers (Primary Account Number or PAN) with its 16-character-long SHA-1 hash.
credit-card-mask()
Synopsis: |
credit-card-mask(value("<message-field-to-process>")) |
Description: Process the specified message field (by default, ${MESSAGE}), and replace the 7-12th character of any credit card numbers (Primary Account Number or PAN) with asterisks (*). For example, syslog-ng PE replaces the number 5542043004559005 with 554204******9005.