replacing log statements
Hello. "allow-config-dups" allow to replace some objects. As I understand log objects cann't have identifier and cann't be replaced therefore. Is it true or I wrong? It would be nice to be able to replace log object also. -- Regards, Sergey
Hi, "allow-config-dups" allow to replace some objects. As I understand
log objects cann't have identifier and cann't be replaced therefore. Is it true or I wrong? It would be nice to be able to replace log object also.
That is correct. You can think of a "log" block as an operation (not really an object) that links objects together, creating a path (a directed acyclic graph). They have no identifiers though. Could you share your use case, where you wanted to "replace" log blocks? -- László Várady
On Tue, Mar 05, 2019 at 09:20:37PM +0100, Várady, László wrote:
Hi,
"allow-config-dups" allow to replace some objects. As I understand
log objects cann't have identifier and cann't be replaced therefore. Is it true or I wrong? It would be nice to be able to replace log object also.
That is correct. You can think of a "log" block as an operation (not really an object) that links objects together, creating a path (a directed acyclic graph). They have no identifiers though.
I also think named log statements would make sense. At the very least, they would add clarity to config files, and could help identify duplicates.
On Wednesday 06 March 2019, you wrote:
Could you share your use case, where you wanted to "replace" log blocks?
My use case is the reducing /var/log/messages when new software installed. This can be implemented through the filter override but not so visual. For example a base config: == ... filter f_mesgs { level(info) and not facility(mail,authpriv); }; destination mesg { file("/var/log/syslog/messages"); }; log { source(sys); filter(f_mesgs); destination(mesg); }; ... @include "/etc/syslog-ng/conf.d/*.conf" == Then I install Cyrus-IMAP for example. == conf.d/cyrus-imap.conf == ... filter f_cyrus { match("cyrus/"); }; filter f_not_cyrus { not match("cyrus/"); }; ... log { source(sys); filter(f_cyrus); destination(cyrus); }; == But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition. I can redifine f_mesgs: filter f_mesgs { level(info) and not facility(mail,authpriv) and not match("cyrus/"); }; But the log override is more succinctly: log { source(sys); filter(f_mesgs); filter (f_not_cyrus); destination(mesg); }; In this example, the "f_not_cyrus" filter is simple but they can be more complex. The "f_mesg" filter can be difficult to read in the result. -- Regards, Sergey
Hi, In this use-case I would recommend using the "final" flag, e.g. you do this: log { source(sys); filter(f_cyrus); destination(cyrus); flags(final); }; log { source(sys); filter(f_mesgs); destination(mesg); }; And then, the mesg destination will only receive messages that: 1) cyrus related log statement didn't match 2) and it matches f_mesgs With this structure you only have to add new log statements (in proper order though) and don't have to change the "catch-all" log statement at the end. It also performs much better and the configuration is more readable. Bazsi On Wed, Mar 6, 2019 at 3:01 PM Sergey <a_s_y@sama.ru> wrote:
On Wednesday 06 March 2019, you wrote:
Could you share your use case, where you wanted to "replace" log blocks?
My use case is the reducing /var/log/messages when new software installed. This can be implemented through the filter override but not so visual.
For example a base config:
== ... filter f_mesgs { level(info) and not facility(mail,authpriv); }; destination mesg { file("/var/log/syslog/messages"); };
log { source(sys); filter(f_mesgs); destination(mesg); }; ... @include "/etc/syslog-ng/conf.d/*.conf" ==
Then I install Cyrus-IMAP for example.
== conf.d/cyrus-imap.conf == ... filter f_cyrus { match("cyrus/"); }; filter f_not_cyrus { not match("cyrus/"); }; ... log { source(sys); filter(f_cyrus); destination(cyrus); }; ==
But some messages of Cyrus-IMAP is satisfy to the f_mesgs condition. I can redifine f_mesgs:
filter f_mesgs { level(info) and not facility(mail,authpriv) and not match("cyrus/"); };
But the log override is more succinctly:
log { source(sys); filter(f_mesgs); filter (f_not_cyrus); destination(mesg); };
In this example, the "f_not_cyrus" filter is simple but they can be more complex. The "f_mesg" filter can be difficult to read in the result.
-- Regards, Sergey
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Wednesday 06 March 2019, Scheidler, Balázs wrote:
In this use-case I would recommend using the "final" flag, e.g. you do this:
log { source(sys); filter(f_cyrus); destination(cyrus); flags(final); }; log { source(sys); filter(f_mesgs); destination(mesg); };
This will require earlier use @include "/etc/syslog-ng/conf.d/*.conf". But maybe it will be really good idea to place it before all standard log statements. I'll think about it, thanks. :-) -- Regards, Sergey
participants (4)
-
Fabien Wernli
-
Scheidler, Balázs
-
Sergey
-
Várady, László