Log Expressions
Everything except a few things are parsed from the configuration as a log expression. The few exceptions are: templates, global options and blocks.
Sources, destinations, filters, parsers, rewrite rules and global log statements are log expressions.
Log expressions describe a graph, which is then traversed by messages received by syslog-ng. The graph used to be a tree (e.g. no cycles), but this limitation was lifted in syslog-ng 3.4, when the concept of log expression was introduced.
Log expression is a part of the graph, the larger graph is created by connecting these parts as dictated by the configuration.
Each log expression is represented using a tree of LogExprNode elements. Each node in this tree defines the layout how its children are to be connected:
- simple element: holds a single LogPipe, no children
- reference: used to reference log expressions defined elsewhere, no children
- sequence: holds a sequence of LogExprNodes
- junction: holds a junction
- conditional: holds a conditional (simple or compound if), three children: filter, true_expr, false_expr
Sometimes syslog-ng needs to know what kind of object the user originally defined, this is stored in the "content" member.
ENC_PIPE: content is a single LogPipe instance (in the "object" member) ENC_SOURCE: content is a source log expression node (source statement or one defined inline) ENC_DESTINATION: content is a destination node ENC_FILTER: content is a filter node ENC_PARSER: content is a parser node ENC_REWRITE: content is a rewrite node
1.9.1