<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<br>
<br>
Sent: Wed Sep 21 2011 09:33:40 GMT-0600 (MST)<br>
From: Gergely Nagy <a class="moz-txt-link-rfc2396E" href="mailto:algernon@balabit.hu"><algernon@balabit.hu></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] kernel logging feature requests
<blockquote cite="mid:87lith6hbf.fsf@balabit.hu" type="cite">
<pre wrap="">Balazs Scheidler <a class="moz-txt-link-rfc2396E" href="mailto:bazsi@balabit.hu"><bazsi@balabit.hu></a> writes:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, 2011-09-16 at 21:16 -0600, Patrick H. wrote:
</pre>
<blockquote type="cite">
<pre wrap="">While setting up a new server at home I've come across 2 feature
requests that would be fairly nice to have (and not that hard to
implement I would think).
1) When the 'kernel' flag is set on a file() source (like for
reading /proc/kmsg), look for the printk time (eg "[ 1234.567890]")
and calculate when the message would have occurred instead of just
using when the line was read off the file. Basically check to see the
number of seconds the system has been up, subtract the printk time,
and then subtract that from current time.
</pre>
</blockquote>
<pre wrap="">
this would be useful, I agree.
</pre>
</blockquote>
<pre wrap="">
+1.
I was pondering about how to do this properly. On one hand, extracting
the timestamp from the message is easy with patterndb. But converting it
to a proper date is a harder task that way (off the top of my head, that
would require a way to figure out the bootup time, preferably once only;
and a way to format an arbitrary timestamp to a date).
Another solution would be to add a flag(parse-kernel-uptime) flag or
similar, and implement support for it directly in syslog-ng. This would
override the $DATE macros.
There's probably other ways to do this, perhaps even easier and more
convenient ways. Any other ideas?
</pre>
</blockquote>
<br>
Well I think you'd have to calculate this on every message received.
If you do something just once like what time the system booted, if
the system time changes, then values calculated off that will be
inaccurate.<br>
Also I question if we need a separate flag. If we just use the
pre-existing 'kernel' flag, we can assign the calculated time to the
S_ macros (S_HOUR, S_DATE, etc), and then have R_ macros be the time
it was read off the line.<br>
<br>
<blockquote cite="mid:87lith6hbf.fsf@balabit.hu" type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">2) I grab all kernel messages with priority of crit or higher and send
it to the usertty() destination, but this destination doesnt support
templates. It'd be nice to be able to define the template. I mostly
just want to change the time format and remove the hostname (since
these will only come from localhost on my setup).
</pre>
</blockquote>
</blockquote>
<pre wrap="">[...]
</pre>
<blockquote type="cite">
<pre wrap="">Anyone volunteering?
</pre>
</blockquote>
<pre wrap="">
Unless someone beats me to it, I'll do it, when time permits. But it
would be better if someone else stepped up, it's an easy task, and I'll
gladly give pointers. You don't even have to know much C!
</pre>
</blockquote>
I might have time to do this this weekend. I'm the on-call at work
this week, so I'll be chained to my computer anyway. But I dont
know.<br>
Seems like none of us can figure if we'll have time to do this or
not :-). So if I do it, I'll just respond to this thread.<br>
</body>
</html>