[syslog-ng]How do I adjust logging for "foreign" facilites?

[Balazs Scheidler]

On Mon, Jun 09, 2003 at 11:52:43AM -0600, Wayne Sweatt wrote:
> Balasz,
> 
>  I'm not sure how much of your reply is use of a built-in methods or
> just examples.
> Is the "process" keyword an undocumented method, or just very new?
> 
> I've solved the problem with the CRON logs, by using the match() method.
> Every log I received consistently had one of three keywords.
> The only remaining facilities I need to deal with are the Darwin -
> "netinfo", and Linux, etc - "authpriv".
> I am not able to filter by OS Type, since the host names are irrelevant
> to OS.
> From the logs that I've collected, I can see that I can safely translate
> all incoming hex "c" facility values to "netinfo" and could also safely
> replace all hex "a" facilities to "authpriv". No Solaris systems/apps
> are using those values anywhere on our network.
> 
> I am able to use the pipe() method, but that means running a dedicated,
> non-syslog-ng process in the background to write to the logs. I'm not
> crazy about that convaluted scheme.
> 
> I haven't tried the program() method yet. Would that be the ticket for
> me if I want to just replace strings? Could I write a simple Perl loop
> that replaces the priority string on <STDIN> and then writes out to the
> desired log file?

if you want to stick to facilities you could write a perl script reading log
messages from stdin a forwarding those logs to /dev/log using the libc
syslog() function. reinjected messages would then be directed to different
destinations based on the new, rewritten facility.

> 
> You use a "facility_rewrite_hack" in your example. How/where would that
> be defined?

neither process{} or the facitity_rewrite_hack() currently exists. they
meant an example how those could be implemented. They were meant to generate
discussion how this or that feature should/could be implemented.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1