[syslog-ng]Filter enhancement

Nate Campi nate@campin.net
Mon, 31 Dec 2001 20:42:38 -0800

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 04, 2001 at 04:28:24PM -0500, Jay Guerette wrote:
> I have an idea for a filter function:
> I would like to filter messages through an external program, ideally spaw=
> as a child process like the 'program()' destination target.
> 1. Perform more complex filtering, or dynamic filtering based on input fr=
om a
> database or other 3rd source.
> 2. Reformat the messages as they pass through the filter.

Where did we leave off with this? I have a very real need myself to be
able to rewrite certain log messages. My reporting and archiving both
get messed up by incorrect hostnames, mostly from solaris clients (which
don't seem to send a hostname in network syslog messages but do include
the rest of the syslog header) and the tag/process field has a space in=20
it. This makes syslog-ng think that the first part of the tag field is
the hostname (correct behavior for syslog-ng, but still wrong in this
case). I could make syslog-ng toss the client supplied hostname
entirely (keep_hostname(no)), but then I lose half of the tag field,=20
which I need to keep the message intact. Archiving and reporting=20
problems also happen when a "last message repeated XX times" message=20
comes in.

I'd rather the messages were recorded correctly in the first place -=20
that seems the right way to do this, rather than coding in a bunch of
workarounds for all tools which parse/utilize the messages.

I ended up writing a perl daemon sitting in front of syslog-ng to fix
these messages before syslog-ng even sees them, but this is no solution.
I feel no desire to re-implement the proper "relay" behavior described
in http://www.ietf.org/rfc/rfc3164.txt - which I really need to do to
get this working right.

I think Balazs might have been in the hospital when this thread came up
(BTW, hope you're well). Some kind of rewriting ability would be great,=20
any thoughts Balazs?

OBTW, I filed a support ticket with the vendor of the software which
sends the space in the tag field, but even if they fix it (not anytime
soon) something like this will come up again, I'm sure.
Nate Campi     http://www.campin.net    GnuPG key: 0xC17AEF79  =20

"If Microsoft can change and compete on quality, I've won."=20
                                             -- L. Torvalds=20

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org