[syslog-ng]Destiniation program question
Aaron Jackson
syslog-ng@lists.balabit.hu
Tue, 22 Jul 2003 11:29:56 -0400
I am trying to get syslog-ng 1.6.0rc3 to run a program as soon as it
receives a message that matches a specific string, but I am having a
few problems. My syslog-ng.conf file has the following set up:
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door"));
internal(); };
source s_udp { udp(); };
source s_tcp { tcp(); };
destination d_prog { program("/path/to/program.pl"
template("$HOST,$MSG\n")); };
filter f_fetch { level(notice) and match("MATHC_STRING"); };
log {source(s_sys); source(s_udp); source(s_tcp); filter(f_fetch);
destination(d_prog); };
My first question is an easy one. My perl program has the form:
while ($line=<>) {
...
}
Is this correct? When syslog-ng forks my perl script, can I assum that
STDIN is always open or should my script have a form like so?
while (1) {
$line=<>;
...
}
My second question has to do with when the perl script is run. It looks
like syslog-ng waits for either several log messages or gets a SIGTERM
(or similar) before it runs the program. I would like for this to
happen in real time. The only option I see that might change the timimg
of when the program is run is log_fifo_size. But since I have to use a
production system that collects over 20K log messages/day for
development (yes, this is bad), I would like to know if I'm on the right
track before I change anything. Any info would be helpful. Thanks.
Aaron