[syslog-ng] Bug in rewrite logic, 3.3.3
Dave Rawks
dave at pandora.com
Wed Nov 30 02:42:05 CET 2011
I've got two different log paths defined that have the same rewrite
included in them. The second log path always causes the rewrite to
overwrite the incorrect macro value.
> ########################
> # Destinations
> ########################
>
> destination dn_json {
> tcp( "logstash"
> port(10514)
> so_keepalive(yes)
> template("$(format_json --pair \@timestamp=\"$ISODATE\" message=\"$MESSAGE\" priority=\"$PRIORITY\" severity=\"$SEVERITY\" facility=\"$FACILITY\" program=\"$PROGRAM\" pid=\"$PID\" date=\"$R_DATE\" host=\"$HOST\" )\n")
> );
> };
>
> ########################
> #Rewrites
> ########################
>
> rewrite r_no_pid{
> set("0", value("PID") condition("$PID" ==""));
> };
>
> ########################
> # Log paths
> # order matters if you use "flags(final);" to mark the end of processing in a
> # "log" statement. ORDER MATTERS!
> #######################
>
>
> Send all log events on to logstash
> log {
> source(s_remote);
> rewrite(r_no_pid);
> destination(dn_json);
> };
>
> log {
> source(s_netloghost);
> rewrite(r_no_pid);
> destination(df_netloghost);
> destination(dn_opennms);
> destination(dn_json);
> };
If the above configuration is used the events that pass through the
second log path have their MESSAGE macro overwritten as "0" instead of
their PID macro as is defined in the r_no_pid rewrite rule. The events
that pass through the first logpath behave as expected. If I comment out
the first logpath then the second behaves as expected.
-Dave
More information about the syslog-ng
mailing list