feature request: Priority remap
It would be nice to be able to use syslong-ng as a filter from the syslog sources to a final syslog server, but in doing so, change the priority of a message based on some filter expressions. As an example, I have an application that does not support syslog. It can log all of its messages to its standard out, so it is easy to use application | logger -p user.info -t application but this assigns the same priority to all messages. I would like to run this through a syslong-ng server to match expressions for -t application and then regular expressions and send them on to the production syslog server with level of error, critical, warning, info and debug. An option for a TCP/UDP destination that would set the facility/level of the messages would be nice. Thanks, -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
I would like to see the ability for syslog-ng to restart the program in a PROGRAM destination. I recognize the concern of denial of service attacks, and that needs to be addressed, but I think it could be with configurable options. I recommend the following two options 1. Maximum messages. After this number of messages, a SIG-QUIT is sent to the program, and a new instance of the program is started. This behaves very similar to the apache option for maximum requests that a process handles prior to terminating. The rational for this option is a safeguard for a program that might leak resources. 2. RestartDelay in seconds If a program terminate unexpectedly, syslog-ng has the ability to buffer messages and dump them to the program once it is restarted. With this delay, denial of service attacks can be addressed, and a reliable backend can be generated. Since there is already an option for the number of messages to buffer, the end user would be responsible for ensuring that the buffer was large enough to hold the messages for the duration of the RestartDelay. Other considerations might be that the program is restarted immediatly for a user specified number of times, after which the restart delay is used. An option for resetting the restart counter after a time interval would then be required, but this approach allows for periodic aborting of the program without the requirement for huge buffers. Only if something went wrong and repeated program aborts occured would a backoff algorithm be required. Thanks for an already excellent product. I hope that these suggestions make it even better. -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
On Wed, 2005-09-14 at 11:27 -0700, Evan Rempel wrote:
I would like to see the ability for syslog-ng to restart the program in a PROGRAM destination. I recognize the concern of denial of service attacks, and that needs to be addressed, but I think it could be with configurable options.
Program restarting is already implemented in 1.9.x branch. However your ideas are good to improve it even further. -- Bazsi
If I use the template option for TCP or UDP destinations, the priority of a message is always user.notice. I set up a syslog.conf as source local { unix-dgram("/dev/log"); internal(); }; source network { udp(port(514)); tcp(port(514)); }; destination syslogng { file("/var/log/syslog-ng" template("$DATE $HOST $FACILITY $PRIORITY $MESSAGE\n")); } ; destination self { udp("cashmere.comp.uvic.ca" template("$FACILITY $PRIORITY From $HOST: $MESSAGE\n")); }; log { source(local); destination(self); }; log { source(network); destination(syslogng); }; and then I ran logger -p ftp.alert "everything is wrong" and I got the following in the /var/log/syslog-ng file Sep 15 10:38:51 cashmere.comp.uvic.ca user notice ftp alert From cashmere.comp.uvic.ca: sysprog: everything is wrong Notice that the udp sent message contains the original ftp.alert priority, but when the message is received via UDP, the message has priority user.notice. Am I doing something wrong? -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
On Thu, 2005-09-15 at 10:51 -0700, Evan Rempel wrote:
If I use the template option for TCP or UDP destinations, the priority of a message is always user.notice.
I set up a syslog.conf as
source local { unix-dgram("/dev/log"); internal(); }; source network { udp(port(514)); tcp(port(514)); }; destination syslogng { file("/var/log/syslog-ng" template("$DATE $HOST $FACILITY $PRIORITY $MESSAGE\n")); } ; destination self { udp("cashmere.comp.uvic.ca" template("$FACILITY $PRIORITY From $HOST: $MESSAGE\n")); }; log { source(local); destination(self); }; log { source(network); destination(syslogng); };
add a "<$PRI>" to the beggining of your templates. -- Bazsi
On Wed, 2005-09-14 at 11:12 -0700, Evan Rempel wrote:
It would be nice to be able to use syslong-ng as a filter from the syslog sources to a final syslog server, but in doing so, change the priority of a message based on some filter expressions.
I'm thinking about generic rewrite capability (e.g. not only priority but also message parts), it is however not yet implemented. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Evan Rempel