Hi, On Thu, 2010-04-01 at 17:55 +0200, Ilas, Yann wrote:
..So I changed the rule "r_rewrite_set" to modify the value to "facility" :
rewrite r_rewrite_set {
set (
"local4"
value("FACILITY")
);
};
And when I restarted the syslog-ng, I had the following errors :
# /etc/init.d/syslog-ng restart
Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='FACILITY'
Restarting syslog-ng: Stopping syslog-ng: [ OK ]
Starting syslog-ng: Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='FACILITY'
[ OK ]
I have the same error when I changed the "PRIORITY" of the rule "r_rewrite_set" :
Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='PRIORITY'
I tried to send a message by using "logger" but as it written in the above error, the MESSAGE was changed... :-(
My questions are :
1. Which macros are read-only ? PRIORITY, FACILITY, another ?
There are two kind of references you can make from template() strings: 1) macros: this is the original stuff, these cannot be changed as they usually involve some kind of code to transform data from the internal representation to the expanded string, examples: FACILITY, PRIORITY, date related macros, and so on 2) name-value pairs: these were introduced in syslog-ng 3.0 and cover all values that are string-like properties of a message Macros cannot be changed (at least not directly via set/subst) whereas name-value pairs can be. To make things more complicated (all in the name of compatibility) there are some macros that are in fact name-value pairs, but require transformation when config version is for older syslog-ng release (e.g. 2.1 or older). That said, the list of macros are to be found in the templates.c source file, but I'm including it for reference (this is from the current 3.1 sources): { "FACILITY", M_FACILITY }, { "FACILITY_NUM", M_FACILITY_NUM }, { "PRIORITY", M_LEVEL }, { "LEVEL", M_LEVEL }, { "LEVEL_NUM", M_LEVEL_NUM }, { "TAG", M_TAG }, { "TAGS", M_TAGS }, { "BSDTAG", M_BSDTAG }, { "PRI", M_PRI }, { "DATE", M_DATE }, { "FULLDATE", M_FULLDATE }, { "ISODATE", M_ISODATE }, { "STAMP", M_STAMP }, { "YEAR", M_YEAR }, { "YEAR_DAY", M_YEAR_DAY }, { "MONTH", M_MONTH }, { "MONTH_WEEK", M_MONTH_WEEK }, { "MONTH_ABBREV", M_MONTH_ABBREV }, { "MONTH_NAME", M_MONTH_NAME }, { "DAY", M_DAY }, { "HOUR", M_HOUR }, { "MIN", M_MIN }, { "SEC", M_SEC }, { "WEEKDAY", M_WEEK_DAY_ABBREV }, /* deprecated */ { "WEEK_DAY", M_WEEK_DAY }, { "WEEK_DAY_ABBREV",M_WEEK_DAY_ABBREV }, { "WEEK_DAY_NAME", M_WEEK_DAY_NAME }, { "WEEK", M_WEEK }, { "TZOFFSET", M_TZOFFSET }, { "TZ", M_TZ }, { "UNIXTIME", M_UNIXTIME }, { "R_DATE", M_RECVD_OFS + M_DATE }, { "R_FULLDATE", M_RECVD_OFS + M_FULLDATE }, { "R_ISODATE", M_RECVD_OFS + M_ISODATE }, { "R_STAMP", M_RECVD_OFS + M_STAMP }, { "R_YEAR", M_RECVD_OFS + M_YEAR }, { "R_YEAR_DAY", M_RECVD_OFS + M_YEAR_DAY }, { "R_MONTH", M_RECVD_OFS + M_MONTH }, { "R_MONTH_WEEK", M_RECVD_OFS + M_MONTH_WEEK }, { "R_MONTH_ABBREV", M_RECVD_OFS + M_MONTH_ABBREV }, { "R_MONTH_NAME", M_RECVD_OFS + M_MONTH_NAME }, { "R_DAY", M_RECVD_OFS + M_DAY }, { "R_HOUR", M_RECVD_OFS + M_HOUR }, { "R_MIN", M_RECVD_OFS + M_MIN }, { "R_SEC", M_RECVD_OFS + M_SEC }, { "R_WEEKDAY", M_RECVD_OFS + M_WEEK_DAY_ABBREV }, /* deprecated */ { "R_WEEK_DAY", M_RECVD_OFS + M_WEEK_DAY }, { "R_WEEK_DAY_ABBREV",M_RECVD_OFS + M_WEEK_DAY_ABBREV }, { "R_WEEK_DAY_NAME", M_RECVD_OFS + M_WEEK_DAY_NAME }, { "R_WEEK", M_RECVD_OFS + M_WEEK }, { "R_TZOFFSET", M_RECVD_OFS + M_TZOFFSET }, { "R_TZ", M_RECVD_OFS + M_TZ }, { "R_UNIXTIME", M_RECVD_OFS + M_UNIXTIME }, { "S_DATE", M_STAMP_OFS + M_DATE }, { "S_FULLDATE", M_STAMP_OFS + M_FULLDATE }, { "S_ISODATE", M_STAMP_OFS + M_ISODATE }, { "S_STAMP", M_STAMP_OFS + M_STAMP }, { "S_YEAR", M_STAMP_OFS + M_YEAR }, { "S_YEAR_DAY", M_STAMP_OFS + M_YEAR_DAY }, { "S_MONTH", M_STAMP_OFS + M_MONTH }, { "S_MONTH_WEEK", M_STAMP_OFS + M_MONTH_WEEK }, { "S_MONTH_ABBREV", M_STAMP_OFS + M_MONTH_ABBREV }, { "S_MONTH_NAME", M_STAMP_OFS + M_MONTH_NAME }, { "S_DAY", M_STAMP_OFS + M_DAY }, { "S_HOUR", M_STAMP_OFS + M_HOUR }, { "S_MIN", M_STAMP_OFS + M_MIN }, { "S_SEC", M_STAMP_OFS + M_SEC }, { "S_WEEKDAY", M_STAMP_OFS + M_WEEK_DAY_ABBREV }, /* deprecated */ { "S_WEEK_DAY", M_STAMP_OFS + M_WEEK_DAY }, { "S_WEEK_DAY_ABBREV",M_STAMP_OFS + M_WEEK_DAY_ABBREV }, { "S_WEEK_DAY_NAME", M_STAMP_OFS + M_WEEK_DAY_NAME }, { "S_WEEK", M_STAMP_OFS + M_WEEK }, { "S_TZOFFSET", M_STAMP_OFS + M_TZOFFSET }, { "S_TZ", M_STAMP_OFS + M_TZ }, { "S_UNIXTIME", M_STAMP_OFS + M_UNIXTIME }, { "SDATA", M_SDATA }, { "MSGHDR", M_MSGHDR }, { "SOURCEIP", M_SOURCE_IP }, { "SEQNUM", M_SEQNUM }, /* values that have specific behaviour with older syslog-ng config versions */ { "MSG", M_MESSAGE }, { "MESSAGE", M_MESSAGE }, { "HOST", M_HOST },
From these the last 3 (MSG, MESSAGE and HOST) are in fact name-value pairs which can be changed.
2. Is there a way to change the facility or the priority of an event ?
There are currently only string based rewrite functionality in syslog-ng, e.g. only string-like properties of a message can be changed. E.g. facility/priority is not possible right now. Although we're planning to have that functionality too. With some hackery you can change the facility/priority field though: * create a custom template that includes a static value as the PRI field of the message: e.g. template("<166>$DATE $HOST $MSGHDR$MSG\n"); The value 166 is equal to local4.info, calculated using the formula: (numeric value of facility) * 8 + (numeric value of severity) The numeric values can be found in RFC3164 or /usr/include/sys/syslog.h * once you have the template, just send those to a pipe destination, which you also read from the same syslog-ng instance with a pipe source. Just make sure you don't create an infinite loop.
3. If not, why can't I change the facility or the priority ?
Simply because we're not there yet and because I didn't feel it that important when we implemented the rewrite functionality. It seems that I was wrong, because many of you are requesting this feature. That's why I already scheduled it for syslog-ng 3.2 -- Bazsi