[RFC] procfile destination
Hi, Based on a request I have now created a new destination driver, called "procfile". A working PoC is available on this branch: https://github.com/balabit/syslog-ng/tree/3.6/f/procfile It can be used to change kernel settings dynamically, based on a trigger within syslog-ng. The difference between procfile() and file(): - no template in the name of the file - processing is performed immediately as read by the source, no queueing is performed (e.g. no loss is possible, but takes CPU time from the source) - opens and closes the destination file after each and every write, writes to offset zero e.g. it doesn't append further data. I'd be grateful if you could provide feedback around these questions or the feature in general: - name of the driver, right now it is called procfile as it was the original use-case, however it works with stuff in /dev too, and might work with simple named pipes. - right now the file must exist and is not created (e.g. it really requires an existing file); do we need that? - do we need append mode in some cases - whether we need append mode (if we think of general files, this would probably be needed) Thanks in advance, Bazsi
Balazs Scheidler <bazsi@balabit.hu> writes:
- no template in the name of the file
Would it be possible to have templates in the filename? I can imagine cases where I'd write to a different file based on message properties. Like, if I start to see alerts that stuff is timing out, I'd spin up my second CPU core (in a laptop setting, where I can't be bothered with proper monitoring, and want to (ab)use syslog-ng for that task).
- name of the driver, right now it is called procfile as it was the original use-case, however it works with stuff in /dev too, and might work with simple named pipes.
It also works with stuff in /sys, so procfile() is not a good name. I would suggest oneshot-file() or simply oneshot().
- right now the file must exist and is not created (e.g. it really requires an existing file); do we need that?
I do not think file creation is important in this case.
- do we need append mode in some cases - whether we need append mode (if we think of general files, this would probably be needed)
I don't think we do. -- |8]
I have now submitted a pull request to merge the "pseudofile" destination, I've now skipped the support for destination file templates, but that can be added later on when a more concrete usecase shows up. It already solves Valentijn's use-case, so it is useful as it is. I wanted to close some of my open branches :) -- Bazsi On Mon, Dec 16, 2013 at 1:20 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Balazs Scheidler <bazsi@balabit.hu> writes:
- no template in the name of the file
Would it be possible to have templates in the filename? I can imagine cases where I'd write to a different file based on message properties.
Like, if I start to see alerts that stuff is timing out, I'd spin up my second CPU core (in a laptop setting, where I can't be bothered with proper monitoring, and want to (ab)use syslog-ng for that task).
- name of the driver, right now it is called procfile as it was the original use-case, however it works with stuff in /dev too, and might work with simple named pipes.
It also works with stuff in /sys, so procfile() is not a good name. I would suggest oneshot-file() or simply oneshot().
- right now the file must exist and is not created (e.g. it really requires an existing file); do we need that?
I do not think file creation is important in this case.
- do we need append mode in some cases - whether we need append mode (if we think of general files, this would probably be needed)
I don't think we do.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Hi, Finally found some time to test this. My setup is rather simple (I think), the config-file now says: destination d_syslogblock { pseudofile ("/proc/net/xt_recent/syslogblock" template("+${usracct.device}\n")); file("/var/log/syslogblock"); file("/tmp/blocker" template("+${usracct.device}\n")); }; The "blocker" file is just for testing purposes. and "syslogblock" is to log all evil to a regular log file as well. I got it to work rather easily and will report my findings. In the mean time, a question: is there anyone who guards the debian/ directory inside the source tree? There seem to be some (mostly minor) issues, and as I'm fixing them locally in order to get syslog-ng up and running, I may as well send them upstream. If anyone cares ;-) that is. Best regards, Valentijn On 12/30/13 19:16, Balazs Scheidler wrote:
I have now submitted a pull request to merge the "pseudofile" destination, I've now skipped the support for destination file templates, but that can be added later on when a more concrete usecase shows up. It already solves Valentijn's use-case, so it is useful as it is.
Hi, On Fri, Dec 13, 2013 at 03:52:24PM +0100, Balazs Scheidler wrote:
- name of the driver, right now it is called procfile as it was the original use-case, however it works with stuff in /dev too, and might work with simple named pipes.
not that I'm posting anything overwhelmingly useful here (gasp) but in my opinion, 'pseudofile' or 'pseudo' or any variation thereof would be more self-explanatory. cheers
Thanks. I like this idea. On Dec 17, 2013 3:43 PM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi,
On Fri, Dec 13, 2013 at 03:52:24PM +0100, Balazs Scheidler wrote:
- name of the driver, right now it is called procfile as it was the original use-case, however it works with stuff in /dev too, and might work with simple named pipes.
not that I'm posting anything overwhelmingly useful here (gasp) but in my opinion, 'pseudofile' or 'pseudo' or any variation thereof would be more self-explanatory.
cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 13-12-13 15:52, Balazs Scheidler wrote:
Hi,
Based on a request I have now created a new destination driver, called "procfile".
:-) ! I'll test it - shortly; currently I'm in the end-of-the-year rush, but I think I may try to find some time to test it before 2014 :-) Thanks! Great news! Valentijn -- Durgerdamstraat 29, 1507 JL Zaandam; telefoon 075-7074579
participants (5)
-
Balazs Scheidler
-
Balazs Scheidler
-
Fabien Wernli
-
Gergely Nagy
-
Valentijn Sessink