Balazs Scheidler wrote:
Wow, this is a can of worms.
If I use a template of
$PRI $DATE $HOST $FACILITY.$PRIORITY $PROGRAM: $MSGONLY
it should recreate the entire syslog message, but it will not. The information inside of the [xxx] of the program will be dropped (or will it be part of the MSGONLY?
No, but if you used:
$PRI $DATE $HOST $FACILITY.$PRIORITY $MSG
This will contain all of program/pid and message in its original formatting.
If you want to exclude the [xxx] from the PROGRAM macro then I think that a new macro is required that will contain the [xxx] component. Perhaps INSTANCE or IDENTIFIER or UNIQUE.
There's a macro called $PID, but it is not always set as the pid part is optional.
I don't have the RFC in front of me, but using the terminology that the RFC uses would be good. The I can write a template of
$PRI $DATE $HOST $FACILITY.$PRIORITY $PROGRAM[$INSTANCE]: $MSGONLY
to recreate the syslog record.
An what about if the INSTANCE is not present in the record....
$MSG ?
Perhaps we need a conditional template? Currently two destinations with the same endpoint, that use different templates and different filters can be used to accomplish this, but it gets convoluted very quickly.
I don't want to complicate templates() even further. $MSG does the trick IMHO.
MSG is not sufficient because it forces the message, program and PID to be controlled as one piece. My example of recreating the original syslog record was overly simplistic and can be accomplished as you indicate with the MSG expansion. I had forgotten about PID which seems appropriate, PROVIDED it is not required to be numeric. We have a few applications that use the text between the [] as an instance name and is made up of letters and numbers. All of the more complicated examples I can think of are for data mining purposes and as such go through an external program that places the syslog data into a storage engine (database). In all of these cases, external parsing of the program[pid] can be done. IMHO it would be cleaner to parse the message in syslog-ng to create an output stream that has all of the message pieces broken apart DATE HOST FACILITY PRIORITY PROGRAM PID MSGONLY and this seems to have been addressed by the PID, with the one caveate that it must accept non-numeric data. Thanks for jogging my memory. Evan.