Hello all, Just joined the list. I was wondering if there was a method to rewrite the severity of an event based on the text of the entry? I know I can use regex to read the message but from what I have seen I can't set the severity level of an event. In reading posts it would appear it was a feature under consideration in the past. Thanks much, PM
Hi! Paul Muther <dalamars@gmail.com> writes:
Just joined the list. I was wondering if there was a method to rewrite the severity of an event based on the text of the entry? I know I can use regex to read the message but from what I have seen I can't set the severity level of an event. In reading posts it would appear it was a feature under consideration in the past.
Sorry for the late reply, hope it's still relevant! According to the documentation[0], the FACILITY, SEVERITY, TAGS and the date related fields cannot be rewritten. However, there might be a workaround: catch the messages you want to rewrite, pipe them to a program that calls logger (with the appropriate facility & severity), and bingo. The only thing you need to pay attention is to avoid a loop: that's best done with using logger -u, and using a separate source for these rewritten logs. 0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... -- |8]
On Tue, 2011-07-05 at 11:03 +0200, Gergely Nagy wrote:
Hi!
Paul Muther <dalamars@gmail.com> writes:
Just joined the list. I was wondering if there was a method to rewrite the severity of an event based on the text of the entry? I know I can use regex to read the message but from what I have seen I can't set the severity level of an event. In reading posts it would appear it was a feature under consideration in the past.
Sorry for the late reply, hope it's still relevant!
According to the documentation[0], the FACILITY, SEVERITY, TAGS and the date related fields cannot be rewritten.
However, there might be a workaround: catch the messages you want to rewrite, pipe them to a program that calls logger (with the appropriate facility & severity), and bingo. The only thing you need to pay attention is to avoid a loop: that's best done with using logger -u, and using a separate source for these rewritten logs.
0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Writing to non-string properties (like FACILITY) is on my list of things I'd like to do, but no time so far. There's a simpler solution though: use a template which simply uses a fixed PRI value instead of using the $PRI macro. e.g. template("<5>$DATE $HOST $MSGHDR$MSG\n"); This would send out kern.err instead of the PRI value of the original message. The value to use within <> can be calculated by: (facility * 8 + severity), and the values can be looked up in /usr/include/syslog.h or RFC3164. -- Bazsi
Hi Bazsi, I hadn't thought of doing it that way. :) So with this solution I define a template for each program/severity level I need and then use filters and parsers to find the entries for each template to apply to? Thanks, PM On Jul 19, 2011, at 8:34 AM, Balazs Scheidler wrote:
On Tue, 2011-07-05 at 11:03 +0200, Gergely Nagy wrote:
Hi!
Paul Muther <dalamars@gmail.com> writes:
Just joined the list. I was wondering if there was a method to rewrite the severity of an event based on the text of the entry? I know I can use regex to read the message but from what I have seen I can't set the severity level of an event. In reading posts it would appear it was a feature under consideration in the past.
Sorry for the late reply, hope it's still relevant!
According to the documentation[0], the FACILITY, SEVERITY, TAGS and the date related fields cannot be rewritten.
However, there might be a workaround: catch the messages you want to rewrite, pipe them to a program that calls logger (with the appropriate facility & severity), and bingo. The only thing you need to pay attention is to avoid a loop: that's best done with using logger -u, and using a separate source for these rewritten logs.
0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Writing to non-string properties (like FACILITY) is on my list of things I'd like to do, but no time so far.
There's a simpler solution though: use a template which simply uses a fixed PRI value instead of using the $PRI macro.
e.g.
template("<5>$DATE $HOST $MSGHDR$MSG\n");
This would send out kern.err instead of the PRI value of the original message.
The value to use within <> can be calculated by: (facility * 8 + severity), and the values can be looked up in /usr/include/syslog.h or RFC3164.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Wed, 2011-07-20 at 14:32 -0700, Paul Muther wrote:
Hi Bazsi,
I hadn't thought of doing it that way. :)
So with this solution I define a template for each program/severity level I need and then use filters and parsers to find the entries for each template to apply to?
Well, that might be doable, but it really sounds more complicated than it would need to be. I'm thinking about making some of the macros to become "writable", like LEVEL and FACILITY in the future. However this would certainly need some core syslog-ng work. A simpler implementation (and less elegant, but still better than the one above) would be to create a plugin for setting the facility/priority value as a rewrite rule. Would be quite easy to write. What about this one: rewrite r_fac { set-facility("kern"); set-severity("emerg"); }; I think this would be a piece of cake for someone trying to experiment with plugin writing. Anyone volunteering? -- Bazsi
participants (3)
-
Balazs Scheidler
-
Gergely Nagy
-
Paul Muther