Hi, I'm in the process of simplifying my structured logging config. Most of my systems now have journald shipping local logs to syslog-ng via the `system()` auto-expanding source. While this is convenient, as it makes it possible to use the same config for all my systems (systemd and rest of world), it also makes it impossible to configure the underlying driver's defaults. The task at hand is shipping the journald additional fields, which would be easy to do using the following excerpt from the documentation: source s_journald { systemd-journal(prefix(".SDATA.journald.")); }; This is not possible of course using `system()`. I've got a couple of ideas on how to handle this, but I'd like to hear other (probably less insane than my own) ways first :-) Cheers
Hello, when I read your email I immediately thought about some confgen block, where systemd handled as an exception, and syslog-ng can "do the rest" with a system block in the else branch. (I checked it, confgen block runs first, so a generated "system()" block will be expanded later by syslog-ng.) But I thought this must be the "insane idea" you referred to earlier 🙂 So I waited a little, maybe someone on the mailing list has a better option. In the meantime, I also checked the code of the system() source, maybe we can add an additional parameter. Unfortunately there was a design choice earlier, where we handle all unknown parameters as "app-parser" parameters, so the "pass everything" part will not work in this case. At this point, I could hardly imagine any solution without breaking legacy behavior, but I am open to any suggestion. Best regards, Laci ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Fabien Wernli <wernli@in2p3.fr> Sent: Wednesday, July 29, 2020 14:38 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] journald prefix CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi, I'm in the process of simplifying my structured logging config. Most of my systems now have journald shipping local logs to syslog-ng via the `system()` auto-expanding source. While this is convenient, as it makes it possible to use the same config for all my systems (systemd and rest of world), it also makes it impossible to configure the underlying driver's defaults. The task at hand is shipping the journald additional fields, which would be easy to do using the following excerpt from the documentation: source s_journald { systemd-journal(prefix(".SDATA.journald.")); }; This is not possible of course using `system()`. I've got a couple of ideas on how to handle this, but I'd like to hear other (probably less insane than my own) ways first :-) Cheers
Hi, Thanks for giving this some thought :-) I think I'll take a step back, and consider using EWMM instead, where the journald stuff gets sent over too. Cheers
participants (2)
-
Fabien Wernli
-
Laszlo Szemere (lszemere)