[syslog-ng]Suggestions/enhancements miscellany

Ted_Rule@flextech.co.uk Ted_Rule@flextech.co.uk
Wed, 22 Jan 2003 10:20:02 +0000 

Whilst at least some of the following has been mentioned before, I'd like to
make a
another little plea for some extra features and tidyups to syslog-ng and its
associated documentation.

a)   SIGHUP/keep-listening feature request

The current version supports the keepalive stream socket feature for both TCP
and Unix-Stream which
means that existing connections are kept open across a SIGHUP/reconfig. This is
all well and good, and
provides sufficient functionality to avoid losing a Stream Source Socket
message. However, for UDP sockets,
I believe the socket is closed/re-opened on SIGHUP, which thereby has the
potential for loss of messages
across a SIGHUP.

Unix syslog client boxes in general could in theory all be reconfigured to use
syslog-ng and hence use TCP, and hence avoid
message drops on a central syslog server, but most embedded devices such as
Cisco routers, HP printers, etc etc, can only
use UDP.

Hence the request to provide the "enhanced Frasier" option, as in "I'm still
listening" for both types of datagram socket.
I would suggest calling this option "keep-listening()".

I'm well aware this may be tricky to code, but given the large population of UDP
only devices, I would have thought many
people would like to see it implemented. I did have a brief attempt to try and
follow enough of the code layout to work out how and
where it might be glued into place - but this bear of little brain got somewhat
too confused to take it further.


b)   SIGUSR1/logrotate feature.

To avoid losing UDP messages, one extra trick might be to include another signal
- say SIGUSR1 - which is used merely to close
all open destinations. This would be used for log rotation - I'm assuming there
would never be a requirement to add open() code to this
as well, as any required destination should be simply opened on demand. At
present, SIGHUP is used to ensure destination closure
for log rotation purposes, but this has the side-effect of closing sources, and
hence potentially losing UDP messages. Adding SIGUSR1
would avoid any loss of messages during the overnight rotation, although there
is obviously still the potential for message loss during
any other required SIGHUP/reconfiguration without the keep-listening() feature.


c)   --checkconf option

Once a new syslog-ng.conf has been built, it may be dangerous to SIGHUP it into
life; a simple spelling error or a missed semi-colon could
in theory lead to death of the running daemon, I believe. In mimicry of bind9's
named-checkconf utility, can we have an extra command-line
option to syslog-ng which merely checks for all potential syntactical errors in
syslog-ng.conf returning non-zero error code and messaging stderr
with any syntax errors thus found. I suggest "--checkconf" for the command line
option name.

Using this, a general init script wrapper might contain:

          syslog-ng.conf --checkconf && kill -HUP `cat /var/run/syslog-ng.pid`

to avoid sending a signal if the configuration check fails. This option is also
probably dependent on making the SIGUSR1 option available,
elsewise a broken configuration file may lead to loss of log rotation.


d)   Default options settings documentation.

This page in the current copy of the documentation:

     http://www.balabit.hu/static/syslog-ng/reference/x564.html

would benefit greatly from a rewrite showing the default setting as an extra
column for each option. Some options have their defaults listed here, but most
do not.


e)   Working examples of regex usage.

There are very few of the example configurations I have seen which show specific
 examples of the regex matching capabilities of the filter() functions. If
anyone has some samples
perhaps some more examples could be added to either the FAQ or the Documentation
 or both, please?




Ted














************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
************************************************************************************************