[syslog-ng] Re: syslog_ng suggestion

Marc Duponcheel marc@offline.be
Mon, 14 Jun 1999 21:18:31 +0200 

On 1999 Jun 14, Balazs Scheidler wrote:
> Hi,
> 
> (cc-ing the message to the syslog-ng mailing list)

Thanks, I better subscibe !

> On Mon, Jun 14, 1999 at 01:45:02AM +0200, Marc Duponcheel wrote:
> > First of all: CONGRATULATIONS with syslog_ng!
> >
> > UNIX is waiting 20 years already to get rid of the limited syslog
> > daemon ;-)
> 
> Thanks.
> 
> > Since you use a real language to write syslog_ng.conf I would like you
> > to propose a generalisation, which, I believe, should be easy (and
> > powerful).
> > 
> > You may have noticed that big parts of a syslog_ng.conf are simply
> > substitutions of some template ...
> > 
> > What about variables (coming out of the log itself)?
> > 
> >         like:
> > variables=level,facility,program,host
> > 
> > Then syslog_ng could interpret generic specifications resulting in
> > generating multiple log files without the syslog_ng.conf writer having
> > to worry about the actual possible values. For 'program' and 'host' I
> > believe this could be a real win.
> > 
> > Of course you should make ${program}=foo for such things like
> > foo[NNN]: and foo:
> > 
> > destination d_${variable} { 
> >         file /var/log/${variable}; 
> > };
> > filter f_${variable} {
> >         level(${variable});
> > };
> > log { source src;
> >         filter f_${variable};
> >         destination d_${variable};
> > };
> > 
> > 
> > In fact one could combine variables (2 below) to generate any kind of
> > combinations.
> > 
> > destination d_${level}.${program} { 
> >         file /var/log/${level}.${program}; 
> > };
> > filter f_${level}.${program} {
> >         level(${level});
> >         program(${program})
> > };
> > log { source src;
> >         filter f_${level}.${program};
> >         destination d_${level}.${program};
> > };
> 
> this approach has some difficulties.
> 
> syslog-ng opens all files at startup and keeps them open, and using
> variables above would make it rather difficult to find out the possible
> files at startup. (= impossible) 

Yeah, I was somewhat aware of this and also about the dangers of
having too many files opening closing all the time ...

> A workaround would be to open a destination only when some output is written
> there, but this would require quite big changes in syslog-ng internally. 

And would probably slow down things ... I don't know.

> The same effect you proposed above could be done using some config file
> generation script:
> 
> for fac in mail news auth; do
> 	for lev in crit alert debug; do
> 		cat syslog-ng.template | 
> 			sed -e "s/\$\{facility\}/$fac/g" -e "s/\$\{level\}/$lev"
> 	done
> done

That's indeed what I do for (fac, lev) ;-) but for program and
hostname I don't have a list ... since any program or host could
suddenly decide to log something, a fact by the way a sysadmin might
be interested in (such a new program or host).

--
 Marc Duponcheel
     marc@offline.be [home] +32 (0)3 449.44.94
 mduponch@cisco.com  [work] +32 (0)2 704.52.40