[Bug 88] New: rewrite FACILITY does not work.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Summary: rewrite FACILITY does not work. Product: syslog-ng Version: 3.0.x Platform: PC OS/Version: Windows Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: alex-pub.balabit@reflexion.net Type of the Report: --- Estimated Hours: 0.0 Here is the fragment of my syslog-ng.conf file that demonstrates the problem source remote_sys { tcp( ip( "0.0.0.0" ) port( 514 ) max-connections( 1152 ) ); udp( ip( "0.0.0.0" ) port( 514 ) ); }; destination d_remote_consolidated_log { file( "/var/log/remote/$FACILITY/$FACILITY.log" create_dirs( yes ) perm( 0644 ) dir_perm( 0755 ) template( "$R_ISODATE $HOST -$LEVEL- $PROGRAM[$PID]: $MSGONLY\n" ) frac_digits( 6 ) template_escape( no ) ); }; filter f_apache { facility( local1 ); }; rewrite r_rewrite_apache_facility { set("apache" value("FACILITY")); }; log { source( remote_sys ); filter( f_apache ); rewrite( r_rewrite_apache_facility ); destination( d_remote_consolidated_log ); flags( final ); }; If I issue the following command from the host connected to this syslog-ng server: $ echo this is apache log test | logger -t apache-test -p local1.info Then the output is sent to "/var/log/remote/local1/local1.log" instead of expected "/var/log/remote/apache/apache.log". Also, if I include $FACILITY into the destination template it prints "local1" If I run syslog-ng with -d flag I see this in output:
Rewrite expression evaluation result; value='FACILITY', new_value='apache'
Below is a full log for this test
Incoming log entry; line='<142>Jun 22 17:36:11 host-1 apache-test: this is a test 2' Filter rule evaluation begins; filter_rule='f_filter1' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_filter1' Filter rule evaluation begins; filter_rule='f_filter2' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_filter2' Filter rule evaluation begins; filter_rule='f_apache' Filter node evaluation result; filter_result='match', filter_type='facility' Filter rule evaluation result; filter_result='match', filter_rule='f_apache' Rewrite expression evaluation result; value='FACILITY', new_value='apache'
So this makes me believe that rewrite does happen, but the value is not picked up later. BTW, the documentation for `set` command says that there should be a comma between "apache" and value, but other samples do not put it there. I've tried it both ways to no avail. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Robert Fekete <frobert@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |frobert@balabit.hu -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|NEW |RESOLVED --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2010-06-23 20:42:24 --- that's right, FACILITY is not a name-value pair and the rewrite framework doesn't handle that. version 3.1 even displays a warning in this case: msg_warning("Macros are read-only, they cannot be changed in rewrite rules, falling back to MESSAGE instead", evt_tag_str("macro", p), NULL); The problem with changing FACILITY is that it is not a string-like value of the log message. Also, there's no such thing as "apache" facility, facilities are defined in the RFC and only the given set can be used (syslog-ng also supports 'numeric' facility codes, but that's not very interoperable). I'm not sure what you exactly want to achieve, but if all you need is to associate the application name to a message, then either use tags, or use a different name value pair (e.g. APPLICATION) And last but not least, I'm planning to implement rewrite support for facility/severity fields, but not in 3.0 -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 --- Comment #2 from Alexander Pogrebnyak <alex-pub.balabit@reflexion.net> 2010-06-23 22:51:46 --- Your suggestion about APPLICATION worked as a charm. I would say this is really a documentation bug. The way it's written, it sounds like the macro referenced by `value( )` must already exist. In `rewrite` section it should really spell out that you can create user defined macros this way, this is awesome. Thanks for speedy response. BTW, is comma( , ) optional inside the `set` command? -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 --- Comment #3 from Balazs Scheidler <bazsi@balabit.hu> 2010-06-24 13:37:41 --- commas are optional everywhere, it is just a matter of style, readability. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Alexander Pogrebnyak <alex-pub.balabit@reflexion.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED | Status|RESOLVED |REOPENED --- Comment #4 from Alexander Pogrebnyak <alex-pub.balabit@reflexion.net> 2010-06-24 17:51:43 --- Please fix documentation for `set` to say that it can be used to define a new macro. This is really what I was after in the first place. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|rewrite FACILITY does not |document that rewrite can |work. |create new name-value pairs -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 Robert Fekete <frobert@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|REOPENED |RESOLVED --- Comment #5 from Robert Fekete <frobert@balabit.hu> 2010-07-01 11:28:40 --- I've added the following example to the existing rewrite set examples, and also added a note about fields that cannot be rewritten: It is also possible to use set the value of a field that does not exist yet, and create a new name-value pair that is associated with the message. The following example created the MODIFIED field and sets its value to yes. If you use the $MODIFIED macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message. rewrite r_rewrite_set{set("yes", value("MODIFIED"));}; It will be available in the next edition of the adminguide. Robert -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 --- Comment #6 from Alexander Pogrebnyak <alex-pub.balabit@reflexion.net> 2010-07-01 16:49:34 --- (In reply to comment #5) Thanks again for speedy reply! Below is proof read of your documentation changes.
I've added the following example to the existing rewrite set examples, and also added a note about fields that cannot be rewritten:
It is also possible to use set the value of a field that does not exist yet, and create a new name-value pair that is associated with the message. The following example created the MODIFIED field and sets its value to yes. If you use the $MODIFIED macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message. rewrite r_rewrite_set{set("yes", value("MODIFIED"));};
It will be available in the next edition of the adminguide.
Robert
It is also possible to set the value of a field that does not exist yet, and create a new name-value pair that is associated with the message. The following example creates the MODIFIED field and sets its value to 'yes'. If you use the $MODIFIED macro in a template or SQL table, its value will be 'yes' for every message that was processed with this rewrite rule, and empty for every other message. rewrite r_rewrite_set{set("yes", value("MODIFIED"));}; -Alex -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=88 --- Comment #7 from Robert Fekete <frobert@balabit.hu> 2010-07-01 20:07:31 --- Hi Alex, thanks a lot for noticing the typos! Robert -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com