The rsyslog “call_indirect” statement

The rsyslog “call_indirect” statement is equivalent to “call” statement except that the name of the to be called ruleset is not constant but an expression and so can be computed at runtime.

If the ruleset name cannot be found when call_indirect is used, an error message as emitted and the call_indirect statement is ignored. Execution continues with the next statement.

syntax

call_indirect expression;

Where “expression” is any valid expression. See expressions for more information. Note that the trailing semicolon is needed to indicate the end of expression. If it is not given, config load will fail with a syntax error message.

examples

The potentially most useful use-case for “call_indirect” is calling a ruleset based on a message variable. Let us assume that you have named your rulesets according to syslog tags expected. Then you can use

call_indirect $syslogtag;

To call these rulesets. Note, however, that this may be misused by a malicious attacker, who injects invalid syslog tags. This could especially be used to redirect message flow to known standard rulesets. To somewhat mitigate against this, the ruleset name can be slightly mangled by creating a unique prefix (do not use the one from this sample). Let us assume the prefix “changeme-” is used, then all your rulesets should start with that string. Then, the following call can be used:

call_indirect "changeme-" & $syslogtag;

While it is possible to call a ruleset via a constant name:

call_indirect "my_ruleset";

It is advised to use the “call” statement for this, as it offers superior performance in this case.

additional information

We need to have two different statements, “call” and “call_indirect” because “call” already existed at the time “call_indirect” was added. We could not extend “call” to support expressions, as that would have broken existing configs. In that case call ruleset would have become invalid and call "ruleset" would have to be used instead. Thus we decided to add the additional “call_indirect” statement for this use case.

See also

Help with configuring/using Rsyslog:

  • Mailing list - best route for general questions
  • GitHub: rsyslog source project - detailed questions, reporting issues that are believed to be bugs with Rsyslog
  • Stack Exchange (View, Ask) - experimental support from rsyslog community

See also

Contributing to Rsyslog: