[syslog-ng]Filter enhancement

Jay Guerette JayGuerette@pobox.com
Tue, 4 Dec 2001 16:28:24 -0500 (EST) 

I have an idea for a filter function:

I would like to filter messages through an external program, ideally spawned
as a child process like the 'program()' destination target.

This could serve 2 functions:
1. Perform more complex filtering, or dynamic filtering based on input from a
database or other 3rd source.
2. Reformat the messages as they pass through the filter.

A message could be sent to the external process via STDIN, it is evaluated
and conditionally sent back via STDOUT. If a message is to be dropped
according to the filter criteria of the external process, it would have to
sendback a NULL character to syslog-ng as an indicator.

A process could send an excessively verbose or obscure message to syslog-
ng, and the external filter process could re-write the message and pass it
back to syslog-ng for continued routing and handling.

This would be extremely handy for handling syslog input from Windows
NT/2K event logs. For example, right now, events from my Windows boxes
start like this in syslog:

Dec  4 16:04:02 host 275891:Tue Dec 04 16:04:02 2001: host/process...

The message itself contains the time stamp, host name, and process; and the
process name supplied to syslog-ng is actually the event ID in the event log.
There is no way to modify the output on the Windows end, but I would like to
rewrite the message on my end.

Also the event log output can be quite verbose:

"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests. Logon Process
name:... "

This could easily be condensed by either hard coding a translation, or
writinga filter to drop extraneous words: 'a, the', and abbreviating others:
'proc., w/,req.'.

I realize that you could set up a program as a destination, and have that
program filter and format and re-send those messages to syslog, but that
seems cumbersome, and also could potentially double the processing that
syslog-ng would have to do.

Comments?

P.S.:
For the curious: I'm using Adiscon Event Reporter
http://www.eventreporter.com/
Having evaluated a few event log/syslog wedges, this is the best.