On Tue, Dec 04, 2001 at 04:28:24PM -0500, Jay Guerette wrote:
I have an idea for a filter function:
I would like to filter messages through an external program, ideally spawned as a child process like the 'program()' destination target.
1. Perform more complex filtering, or dynamic filtering based on input from a database or other 3rd source. 2. Reformat the messages as they pass through the filter.
Where did we leave off with this? I have a very real need myself to be able to rewrite certain log messages. My reporting and archiving both get messed up by incorrect hostnames, mostly from solaris clients (which don't seem to send a hostname in network syslog messages but do include the rest of the syslog header) and the tag/process field has a space in it. This makes syslog-ng think that the first part of the tag field is the hostname (correct behavior for syslog-ng, but still wrong in this case). I could make syslog-ng toss the client supplied hostname entirely (keep_hostname(no)), but then I lose half of the tag field, which I need to keep the message intact. Archiving and reporting problems also happen when a "last message repeated XX times" message comes in. I'd rather the messages were recorded correctly in the first place - that seems the right way to do this, rather than coding in a bunch of workarounds for all tools which parse/utilize the messages. I ended up writing a perl daemon sitting in front of syslog-ng to fix these messages before syslog-ng even sees them, but this is no solution. I feel no desire to re-implement the proper "relay" behavior described in http://www.ietf.org/rfc/rfc3164.txt - which I really need to do to get this working right. I think Balazs might have been in the hospital when this thread came up (BTW, hope you're well). Some kind of rewriting ability would be great, any thoughts Balazs? OBTW, I filed a support ticket with the vendor of the software which sends the space in the tag field, but even if they fix it (not anytime soon) something like this will come up again, I'm sure. -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 "If Microsoft can change and compete on quality, I've won." -- L. Torvalds