Hello, I'm using the syslog-ng application version 3.1.0. I would like to change the severity and/or the facility of an event. Here is the configuration for this test : template t_format { template ("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC;$HOST;$FACILITY;$PRIORITY;$PROGRAM;$MSG\n"); }; source s_local_test { unix-stream("/dev/log"); }; destination d_test { file ( "/tmp/test" template (t_format) ); }; rewrite r_rewrite_set { set ( "my_program" value("PROGRAM") ); }; log { source (s_local_test); rewrite (r_rewrite_set); destination (d_test); }; I generated a message by using "logger" : # logger -i -p local0.info "Test Message : ABCDEFGHIJKLMNOPQRST ## $(date) ##" => /tmp/test: 2010-04-01 15:12:14;pc-dev.dom;local0;info;MY_PROGRAM;Test Message : ABCDEFGHIJKLMNOPQRST ## jeu avr 1 15:12:14 CEST 2010 ## Ok, I can change the PROGRAM name... :-) ...So I changed the rule "r_rewrite_set" to modify the value to "facility" : rewrite r_rewrite_set { set ( "local4" value("FACILITY") ); }; And when I restarted the syslog-ng, I had the following errors : # /etc/init.d/syslog-ng restart Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='FACILITY' Restarting syslog-ng: Stopping syslog-ng: [ OK ] Starting syslog-ng: Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='FACILITY' [ OK ] I have the same error when I changed the "PRIORITY" of the rule "r_rewrite_set" :
Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead; macro='PRIORITY'
I tried to send a message by using "logger" but as it written in the above error, the MESSAGE was changed... :-( My questions are : 1. Which macros are read-only ? PRIORITY, FACILITY, another ? 2. Is there a way to change the facility or the priority of an event ? 3. If not, why can't I change the facility or the priority ? Regards, Yann