Hi, We have some setups where we want to have a large log_msg_size, but need to send some logs to an external party which only can handle standard BSD syslog messages with a maximum size of 1024 bytes. Question: would it be possible to add a per-destination log-msg-size to truncate the messages on a per-destination basis? I think that it would be very useful. Something like: destination d_remote { udp("192.168.65.10" port(514) log_msg_size(1024)); }; Do you find it a good idea and is there any chance that this might be implemented? Thanks David
Hi, Truncating log messages? Sorry, but this just doesn't sound right when it comes to syslog-ng itself. You can write an app to forward the logs in any way and this app could get used syslog-ng: pipe() or program() Regards, Sandor On Wed, Feb 19, 2014 at 8:10 AM, David Schweikert <david@schweikert.ch> wrote:
Hi,
We have some setups where we want to have a large log_msg_size, but need to send some logs to an external party which only can handle standard BSD syslog messages with a maximum size of 1024 bytes.
Question: would it be possible to add a per-destination log-msg-size to truncate the messages on a per-destination basis? I think that it would be very useful. Something like:
destination d_remote { udp("192.168.65.10" port(514) log_msg_size(1024)); };
Do you find it a good idea and is there any chance that this might be implemented?
Thanks David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Sandor, Thanks for the quick reply and a proposed workaround. On Wed, Feb 19, 2014 at 09:02:23 +0100, Sandor Geller wrote:
Truncating log messages? Sorry, but this just doesn't sound right when it comes to syslog-ng itself.
Why does it make sense in a source context but not in a destination context? You could argue that it makes even more sense in a destination context, because it allows to deal with legacy systems, whereas syslog-ng doesn't need any size limitations. Cheers David
You could also run a second copy of syslog-ng on the host that has a shorter message. Use that instance to forward the logs to the other destination. This avoids you having to writ your own program :-) On 02/19/2014 02:17 AM, David Schweikert wrote:
Hi Sandor,
Thanks for the quick reply and a proposed workaround.
On Wed, Feb 19, 2014 at 09:02:23 +0100, Sandor Geller wrote:
Truncating log messages? Sorry, but this just doesn't sound right when it comes to syslog-ng itself.
Why does it make sense in a source context but not in a destination context?
You could argue that it makes even more sense in a destination context, because it allows to deal with legacy systems, whereas syslog-ng doesn't need any size limitations.
Cheers David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
On 19.02.2014 08:10, David Schweikert wrote:
We have some setups where we want to have a large log_msg_size, but need to send some logs to an external party which only can handle standard BSD syslog messages with a maximum size of 1024 bytes.
Question: would it be possible to add a per-destination log-msg-size to truncate the messages on a per-destination basis? I think that it would be very useful. Something like:
destination d_remote { udp("192.168.65.10" port(514) log_msg_size(1024)); };
Do you find it a good idea and is there any chance that this might be implemented?
Use a template() that utilizes $(substr) template function. See http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guide... for more details. HTH. -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
On Wed, Feb 19, 2014 at 23:12:28 +0100, Jakub Jankowski wrote:
Use a template() that utilizes $(substr) template function. See http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guide... for more details.
Ah, cool! I will try that out. Thank you. Cheers David
On Wed, Feb 19, 2014 at 23:12:28 +0100, Jakub Jankowski wrote:
Use a template() that utilizes $(substr) template function. See http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guide... for more details.
For the records: it seems to work nicely. I use it as follows: template t_legacy_bsd { template("$(substr \"<$PRI>$DATE $HOST $MSGHDR$MSG\" \"0\" \"1023\")\n"); template_escape(no); }; Cheers David
By using apostrophes instead of quotes you can get rid of those ugly backslashes. On Feb 21, 2014 9:50 AM, "David Schweikert" <david@schweikert.ch> wrote:
On Wed, Feb 19, 2014 at 23:12:28 +0100, Jakub Jankowski wrote:
Use a template() that utilizes $(substr) template function. See
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guide...
for more details.
For the records: it seems to work nicely. I use it as follows:
template t_legacy_bsd { template("$(substr \"<$PRI>$DATE $HOST $MSGHDR$MSG\" \"0\" \"1023\")\n"); template_escape(no); };
Cheers David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (5)
-
Balazs Scheidler
-
David Schweikert
-
Evan Rempel
-
Jakub Jankowski
-
Sandor Geller