[syslog-ng] Unable to set PRIORITY and LEVEL in rewrite

29 Jun 2009

      Hi,

with the central logging of syslog in place, I moved on to the file
/var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS
5.3) capabilities with logfiles from other applications. The contents of this
file are rather straightforward:

[Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice:
Undefined offset:  2

I want to skip the date/time (assuming there is no delay before syslog-ng
processes the data) and to set the PRIORITY and LEVEL attributes to "warning"
and "err". The following config file (included in the main config) should do
the job. 

source s_http_ssl_error {
                                file    (
"/var/log/httpd/ssl_error_log"
                                                flags(no-parse)
                                                follow_freq(1)
                                        );
                        };

# Split the message.
parser p_http_ssl_error {
                                csv-parser(
                                                columns(
"HTTP.TIMESTAMP",

"HTTP.SEVERITY",
                                                                "HTTP.MSG"
# Match the remainder of the message (greedy).
                                                        )
                                                delimiters( " " )
                                                flags( greedy,
escape-double-char, strip-whitespace )
                                                quote-pairs( '""[]' )
                                        );
                        };

filter  f_http_ssl_error_warn{ match( "warn" value( "HTTP.SEVERITY" ) ); };
rewrite r_http_ssl_error_warn{
                                        set( "warning" value( "LEVEL" ) );
                                        set( "warning" value( "PRIORITY" ) );
                                };

filter  f_http_ssl_error_error{ match( "error" value( "HTTP.SEVERITY" ) ); };
rewrite r_http_ssl_error_error{
                                        set( "err" value( "LEVEL" ) );
                                        set( "err" value( "PRIORITY" ) );
                                };

# Eliminate the severity as soon as PRIORITY and LEVEL are set!
# Set the attribute program to "http_ssl_error".
template t_http_ssl_error{ template( "http_ssl_error ${HTTP.SEVERITY}
${HTTP.MSG}\n" ); };

# Send the message to the regular syslog in order to transfer it to the
syslog-ng collector.
destination d_http_ssl_error{
                                unix-dgram(     "/dev/log"
                                                template( t_http_ssl_error )
                                        );
                        };

# Handle the warnings.
log     {
                source( s_http_ssl_error );
                parser( p_http_ssl_error );
                filter( f_http_ssl_error_warn );
                rewrite( r_http_ssl_error_warn );
                destination( d_http_ssl_error );
                flags( final );
        };

# Handle the errors.
log     {
                source( s_http_ssl_error );
                parser( p_http_ssl_error );
                filter( f_http_ssl_error_error );
                rewrite( r_http_ssl_error_error );
                destination( d_http_ssl_error );
                flags( final );
        };

# Handle the other messages.
log     {
                source( s_http_ssl_error );
                parser( p_http_ssl_error );
                destination( d_http_ssl_error );
        };

Inserting [warn], [error] and [other] lines in the logfile, results in the
proper number of syslog-ng messages with the desired MSG-contents. However,
the priority and level attributes are unchanged ("notice"). What is wrong?

kind regards,

Siem Korteweg