On Tue, 2011-07-05 at 11:03 +0200, Gergely Nagy wrote:
Hi!
Paul Muther <dalamars@gmail.com> writes:
Just joined the list. I was wondering if there was a method to rewrite the severity of an event based on the text of the entry? I know I can use regex to read the message but from what I have seen I can't set the severity level of an event. In reading posts it would appear it was a feature under consideration in the past.
Sorry for the late reply, hope it's still relevant!
According to the documentation[0], the FACILITY, SEVERITY, TAGS and the date related fields cannot be rewritten.
However, there might be a workaround: catch the messages you want to rewrite, pipe them to a program that calls logger (with the appropriate facility & severity), and bingo. The only thing you need to pay attention is to avoid a loop: that's best done with using logger -u, and using a separate source for these rewritten logs.
0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Writing to non-string properties (like FACILITY) is on my list of things I'd like to do, but no time so far. There's a simpler solution though: use a template which simply uses a fixed PRI value instead of using the $PRI macro. e.g. template("<5>$DATE $HOST $MSGHDR$MSG\n"); This would send out kern.err instead of the PRI value of the original message. The value to use within <> can be calculated by: (facility * 8 + severity), and the values can be looked up in /usr/include/syslog.h or RFC3164. -- Bazsi