Multiple log statements vs If/else
Is there any functional difference between something like: log { .... }; log { ... flags(final); }; and log { if { ... } else { ... }; I was thinking about trying to build a configuration specific for an app from a Jinja2 template in Ansible and it seems like to me that if they aren't different it would be easier to do multiple log statements if generated dynamically. Thanks, -Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell)
Hi, On Wed, May 08, 2019 at 01:28:46PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
I was thinking about trying to build a configuration specific for an app from a Jinja2 template in Ansible and it seems like to me that if they aren't different it would be easier to do multiple log statements if generated dynamically.
The if/then/else control is much more readable, and I believe it was implemented for that reason. That being said, you can achieve the same behaviour with multiple log paths + flags, or embedded log paths and channels/junctions. Be aware however that in the former, declaration order matters.
Hi,
The if/then/else control is much more readable, and I believe it was implemented for that reason. That being said, you can achieve the same behaviour with multiple log paths + flags, or embedded log paths and channels/junctions. Be aware however that in the former, declaration order matters.
Yes, that's correct. We prefer using if-elif statements instead of using junction/channels with final flags (because if-elif are basically just that) for convenience. In if-elif statements there are even some flexibility you can configure (what should be used for the conditional expression), for details let me link our Admin guide: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... Regards, Gabor On Thu, May 9, 2019 at 9:18 AM Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Wed, May 08, 2019 at 01:28:46PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
I was thinking about trying to build a configuration specific for an app from a Jinja2 template in Ansible and it seems like to me that if they aren't different it would be easier to do multiple log statements if generated dynamically.
The if/then/else control is much more readable, and I believe it was implemented for that reason. That being said, you can achieve the same behaviour with multiple log paths + flags, or embedded log paths and channels/junctions. Be aware however that in the former, declaration order matters.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I can understand that, however, if you’re trying to convert yaml into a log path it would be hard to do if/else dynamically. I am curious about how the declaration order matters. My understanding is that each message will be evaluated for a match on each log statement in the order that they appear in the file and only when it hits a log statement with a final flag will it stop attempting to match. Is that correct? Thanks, -Mark From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Nagy, Gábor Sent: Thursday, May 9, 2019 6:25 AM To: wernli@in2p3.fr; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Multiple log statements vs If/else Hi,
The if/then/else control is much more readable, and I believe it was implemented for that reason. That being said, you can achieve the same behaviour with multiple log paths + flags, or embedded log paths and channels/junctions. Be aware however that in the former, declaration order matters.
Yes, that's correct. We prefer using if-elif statements instead of using junction/channels with final flags (because if-elif are basically just that) for convenience. In if-elif statements there are even some flexibility you can configure (what should be used for the conditional expression), for details let me link our Admin guide: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/51#TOPIC-1121970<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.syslog-2Dng.com_technical-2Ddocuments_doc_syslog-2Dng-2Dopen-2Dsource-2Dedition_3.20_administration-2Dguide_51-23TOPIC-2D1121970&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=OXG-rqtJRwb33rohzlCAlj5ECW24TajYVXiQhsk1lgk&s=gxhgPVuwtDAcJQ_v11zeO62ndyj6aMO9yABaPnB9BPk&e=> Regards, Gabor On Thu, May 9, 2019 at 9:18 AM Fabien Wernli <wernli@in2p3.fr<mailto:wernli@in2p3.fr>> wrote: Hi, On Wed, May 08, 2019 at 01:28:46PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
I was thinking about trying to build a configuration specific for an app from a Jinja2 template in Ansible and it seems like to me that if they aren't different it would be easier to do multiple log statements if generated dynamically.
The if/then/else control is much more readable, and I believe it was implemented for that reason. That being said, you can achieve the same behaviour with multiple log paths + flags, or embedded log paths and channels/junctions. Be aware however that in the former, declaration order matters. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=OXG-rqtJRwb33rohzlCAlj5ECW24TajYVXiQhsk1lgk&s=4jK_H3E_EdU6NYm5zUg-IfMh1xyx9I9yCqqN2Qczz2I&e=> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=OXG-rqtJRwb33rohzlCAlj5ECW24TajYVXiQhsk1lgk&s=C8bvt5zSDKHfk0ATg-iiJ0QQnm675eupEEUG8NQ1Brc&e=> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=OXG-rqtJRwb33rohzlCAlj5ECW24TajYVXiQhsk1lgk&s=DA4-kGQ4DZUwbI9n9mRc-Pn7lwd8hbqWufNDF-s3Cuk&e=>
On Thu, May 09, 2019 at 12:58:50PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
I can understand that, however, if you’re trying to convert yaml into a log path it would be hard to do if/else dynamically. I am curious about how the declaration order matters. My understanding is that each message will be evaluated for a match on each log statement in the order that they appear in the file and only when it hits a log statement with a final flag will it stop attempting to match. Is that correct?
there is also the 'fallback' flag
Interesting, I don't think I've used that before. The description sounds more like what I'd consider a 'catchall' to be than what the actual catchall does, except it only catches that which hasn't already been caught. That might be useful for a use-case I have where we have people who send us logs without notifying us first so that we can filter for it, this way we can at least start indexing it and whenever they do get around to letting us know they are sending it we will at least have it contained somewhere. Thanks, -Mark -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Thursday, May 9, 2019 8:56 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Multiple log statements vs If/else On Thu, May 09, 2019 at 12:58:50PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
I can understand that, however, if you’re trying to convert yaml into a log path it would be hard to do if/else dynamically. I am curious about how the declaration order matters. My understanding is that each message will be evaluated for a match on each log statement in the order that they appear in the file and only when it hits a log statement with a final flag will it stop attempting to match. Is that correct?
there is also the 'fallback' flag
Hi Mark! Sorry for answering after a long time.
I am curious about how the declaration order matters. My understanding is that each message will be evaluated for a match on each log statement in the order that they appear in the file and only when it hits a log statement with a final flag will it stop attempting to match. Is that correct? Yes. :) As Fabien mentioned, a "fallback" log path would be need to not drop unprocessed log messages.
... it seems like to me that if they aren’t different it would be easier to do multiple log statements if generated dynamically. A config with many log paths would be easy to generate, but hard to read/maintain. If you find if-else config hard to generate from code, you can use the junction/channel with final flags too. Just make sure you have a fallback channel too.
Regards, Gabor
Thanks, that does help and I am putting in a fallback log path as the last log path. I think junction/channel is very difficult to understand. If/else is probably the easiest, log paths aren’t that bad, but junction/channel is very unintuitive to me. Thanks, -Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell) From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Nagy, Gábor Sent: Friday, May 17, 2019 3:13 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Multiple log statements vs If/else Hi Mark! Sorry for answering after a long time.
I am curious about how the declaration order matters. My understanding is that each message will be evaluated for a match on each log statement in the order that they appear in the file and only when it hits a log statement with a final flag will it stop attempting to match. Is that correct? Yes. :) As Fabien mentioned, a "fallback" log path would be need to not drop unprocessed log messages.
... it seems like to me that if they aren’t different it would be easier to do multiple log statements if generated dynamically. A config with many log paths would be easy to generate, but hard to read/maintain. If you find if-else config hard to generate from code, you can use the junction/channel with final flags too. Just make sure you have a fallback channel too.
Regards, Gabor
On Fri, May 17, 2019 at 01:19:07PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
Thanks, that does help and I am putting in a fallback log path as the last log path. I think junction/channel is very difficult to understand. If/else is probably the easiest, log paths aren’t that bad, but junction/channel is very unintuitive to me.
Channels are like individual if (without else) statements. Junctions are channel containers, all channels being connected downstream.
Just think about this as a pipeline that can: 1) deliver messages 2) fork to different paths and never join again (=> channel / log statement) 3) fork to different paths and then be joined again (=> junction) 4) at every fork, the message is cloned. ``` +-- channel1 ---- destination / src---+ \ /----\ +-- channel 2----+ +---- destination \----/ junction ``` On Sat, May 18, 2019 at 11:34 PM Fabien Wernli <wernli@in2p3.fr> wrote:
On Fri, May 17, 2019 at 01:19:07PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
Thanks, that does help and I am putting in a fallback log path as the last log path. I think junction/channel is very difficult to understand. If/else is probably the easiest, log paths aren’t that bad, but junction/channel is very unintuitive to me.
Channels are like individual if (without else) statements. Junctions are channel containers, all channels being connected downstream.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thank you for the visualization. So, if I currently have a bunch of log paths that are final the channels forks would just expand out vertically, but then a junction could be used to join again for the fallback log path? Embedded log paths would just be a fork off of an existing fork? -Mark From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Scheidler, Balázs Sent: Saturday, May 18, 2019 11:47 PM To: Fabien Wernli <wernli@in2p3.fr>; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Multiple log statements vs If/else Just think about this as a pipeline that can: 1) deliver messages 2) fork to different paths and never join again (=> channel / log statement) 3) fork to different paths and then be joined again (=> junction) 4) at every fork, the message is cloned. ``` +-- channel1 ---- destination / src---+ \ /----\ +-- channel 2----+ +---- destination \----/ junction ``` On Sat, May 18, 2019 at 11:34 PM Fabien Wernli <wernli@in2p3.fr<mailto:wernli@in2p3.fr>> wrote: On Fri, May 17, 2019 at 01:19:07PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
Thanks, that does help and I am putting in a fallback log path as the last log path. I think junction/channel is very difficult to understand. If/else is probably the easiest, log paths aren’t that bad, but junction/channel is very unintuitive to me.
Channels are like individual if (without else) statements. Junctions are channel containers, all channels being connected downstream. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=Uw5d_HUFElK6wqnsGDq1ZGcABZhTnfrXdy46vSuctTA&s=_Q50XeAIAmDxFctsE3ni1BpIXHAhiFSV5TkjVFmzyQE&e=> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=Uw5d_HUFElK6wqnsGDq1ZGcABZhTnfrXdy46vSuctTA&s=UyYnZ-Kz4vqYuM4kBVijh7QO3bYgu6QOaN7HxK3UEr0&e=> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=Uw5d_HUFElK6wqnsGDq1ZGcABZhTnfrXdy46vSuctTA&s=p51NlYnRfTGTIdR1kCaNvEBZ_F9M0LcUz_TKr4F0wcA&e=>
participants (4)
-
Fabien Wernli
-
Faine, Mark R. (MSFC-IS40)[NICS]
-
Nagy, Gábor
-
Scheidler, Balázs