Unable to set PRIORITY and LEVEL in rewrite
Hi, with the central logging of syslog in place, I moved on to the file /var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS 5.3) capabilities with logfiles from other applications. The contents of this file are rather straightforward: [Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice: Undefined offset: 2 I want to skip the date/time (assuming there is no delay before syslog-ng processes the data) and to set the PRIORITY and LEVEL attributes to "warning" and "err". The following config file (included in the main config) should do the job. source s_http_ssl_error { file ( "/var/log/httpd/ssl_error_log" flags(no-parse) follow_freq(1) ); }; # Split the message. parser p_http_ssl_error { csv-parser( columns( "HTTP.TIMESTAMP", "HTTP.SEVERITY", "HTTP.MSG" # Match the remainder of the message (greedy). ) delimiters( " " ) flags( greedy, escape-double-char, strip-whitespace ) quote-pairs( '""[]' ) ); }; filter f_http_ssl_error_warn{ match( "warn" value( "HTTP.SEVERITY" ) ); }; rewrite r_http_ssl_error_warn{ set( "warning" value( "LEVEL" ) ); set( "warning" value( "PRIORITY" ) ); }; filter f_http_ssl_error_error{ match( "error" value( "HTTP.SEVERITY" ) ); }; rewrite r_http_ssl_error_error{ set( "err" value( "LEVEL" ) ); set( "err" value( "PRIORITY" ) ); }; # Eliminate the severity as soon as PRIORITY and LEVEL are set! # Set the attribute program to "http_ssl_error". template t_http_ssl_error{ template( "http_ssl_error ${HTTP.SEVERITY} ${HTTP.MSG}\n" ); }; # Send the message to the regular syslog in order to transfer it to the syslog-ng collector. destination d_http_ssl_error{ unix-dgram( "/dev/log" template( t_http_ssl_error ) ); }; # Handle the warnings. log { source( s_http_ssl_error ); parser( p_http_ssl_error ); filter( f_http_ssl_error_warn ); rewrite( r_http_ssl_error_warn ); destination( d_http_ssl_error ); flags( final ); }; # Handle the errors. log { source( s_http_ssl_error ); parser( p_http_ssl_error ); filter( f_http_ssl_error_error ); rewrite( r_http_ssl_error_error ); destination( d_http_ssl_error ); flags( final ); }; # Handle the other messages. log { source( s_http_ssl_error ); parser( p_http_ssl_error ); destination( d_http_ssl_error ); }; Inserting [warn], [error] and [other] lines in the logfile, results in the proper number of syslog-ng messages with the desired MSG-contents. However, the priority and level attributes are unchanged ("notice"). What is wrong? kind regards, Siem Korteweg
On Mon, 2009-06-29 at 16:22 +0200, Siem Korteweg wrote:
Hi,
with the central logging of syslog in place, I moved on to the file /var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS 5.3) capabilities with logfiles from other applications. The contents of this file are rather straightforward:
[Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice: Undefined offset: 2
I want to skip the date/time (assuming there is no delay before syslog-ng processes the data) and to set the PRIORITY and LEVEL attributes to "warning" and "err". The following config file (included in the main config) should do the job.
This is not currently supported. In fact the rewrite stuff only works with name-value pairs, and not with all kinds of macros. I plan to fix this in syslog-ng 3.1. -- Bazsi
On Mon, 2009-06-29 at 16:22 +0200, Siem Korteweg wrote:
Hi,
with the central logging of syslog in place, I moved on to the file /var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS 5.3) capabilities with logfiles from other applications. The contents of this file are rather straightforward:
[Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice: Undefined offset: 2
Just one more minor note, using the latest syslog-ng versions, you can specify the default facility/level values for inputs that lack this value. See default-facility(), default-value() options. -- Bazsi
Hi, thank you for your reaction and hint. Where are these options documented, I cannot find them in de admin manual. regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Balazs Scheidler Verzonden: vr 3-7-2009 16:39 Aan: Syslog-ng users' and developers' mailing list Onderwerp: Re: [syslog-ng] Unable to set PRIORITY and LEVEL in rewrite On Mon, 2009-06-29 at 16:22 +0200, Siem Korteweg wrote:
Hi,
with the central logging of syslog in place, I moved on to the file /var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS 5.3) capabilities with logfiles from other applications. The contents of this file are rather straightforward:
[Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice: Undefined offset: 2
Just one more minor note, using the latest syslog-ng versions, you can specify the default facility/level values for inputs that lack this value. See default-facility(), default-value() options. -- Bazsi _____________________________________________________________________________ _ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Fri, 2009-07-03 at 22:11 +0200, Siem Korteweg wrote:
Hi,
thank you for your reaction and hint. Where are these options documented, I cannot find them in de admin manual.
as it seems the docs has not yet been updated. you can find more information about this feature in the mailing list archives starting at this thread: https://lists.balabit.hu/pipermail/syslog-ng/2009-March/012638.html and this: https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012858.html The way it works is as follows: source aaa { file("/var/log/apache/error.log" default-facility(daemon) default-priority(error)); }; This means that all lines that do not begin with a syslog header (<NNN> where NNN is the syslog PRI value), will get "daemon.error" instead of the earlier hard-coded "user.notice". -- Bazsi
Bazsi, thank you, this is the info I needed. regards, Siem -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Balazs Scheidler Verzonden: ma 6-7-2009 8:58 Aan: Syslog-ng users' and developers' mailing list CC: documentation@balabit.com Onderwerp: Re: [syslog-ng] Unable to set PRIORITY and LEVEL in rewrite On Fri, 2009-07-03 at 22:11 +0200, Siem Korteweg wrote:
Hi,
thank you for your reaction and hint. Where are these options documented, I cannot find them in de admin manual.
as it seems the docs has not yet been updated. you can find more information about this feature in the mailing list archives starting at this thread: https://lists.balabit.hu/pipermail/syslog-ng/2009-March/012638.html and this: https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012858.html The way it works is as follows: source aaa { file("/var/log/apache/error.log" default-facility(daemon) default-priority(error)); }; This means that all lines that do not begin with a syslog header (<NNN> where NNN is the syslog PRI value), will get "daemon.error" instead of the earlier hard-coded "user.notice". -- Bazsi _____________________________________________________________________________ _ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Balazs Scheidler
-
Siem Korteweg