blob: 5bedbe7881ddcce0ed1cab33b263e6a80e8fa703 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
The rsyslog "call_indirect" statement
=====================================
The rsyslog "call_indirect" statement is equivalent to
:doc:`"call" statement <rainerscript_call>`
except that the name of the to be called ruleset is not constant but an
expression and so can be computed at runtime.
If the ruleset name cannot be found when call_indirect is used, an error
message as emitted and the call_indirect statement is ignored. Execution
continues with the next statement.
syntax
------
``call_indirect expression;``
Where "expression" is any valid expression. See
:doc:`expressions <expressions>`
for more information. Note that the trailing semicolon is needed to
indicate the end of expression. If it is not given, config load will
fail with a syntax error message.
examples
--------
The potentially most useful use-case for "call_indirect" is calling a
ruleset based on a message variable. Let us assume that you have named
your rulesets according to syslog tags expected. Then you can use
``call_indirect $syslogtag;``
To call these rulesets. Note, however, that this may be misused by a
malicious attacker, who injects invalid syslog tags. This could especially
be used to redirect message flow to known standard rulesets. To somewhat
mitigate against this, the ruleset name can be slightly mangled by creating
a **unique** prefix (do **not** use the one from this sample). Let us assume
the prefix "changeme-" is used, then all your rulesets should start with that
string. Then, the following call can be used:
``call_indirect "changeme-" & $syslogtag;``
While it is possible to call a ruleset via a constant name:
``call_indirect "my_ruleset";``
It is advised to use the "call" statement for this, as it offers superior
performance in this case.
additional information
----------------------
We need to have two different statements, "call" and "call_indirect" because
"call" already existed at the time "call_indirect" was added. We could not
extend "call" to support expressions, as that would have broken existing
configs. In that case ``call ruleset`` would have become invalid and
``call "ruleset"`` would have to be used instead. Thus we decided to
add the additional "call_indirect" statement for this use case.
|
