[syslog-ng] re-inserting syslog messages for testing

Ed Ravin syslog-ng@lists.balabit.hu
Fri, 28 Jan 2005 01:04:59 -0500

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jan 18, 2005 at 11:29:07AM -0500, Ed Ravin wrote:
> I've written a perl script that takes as input a file with syslog
> I use this for test environments, especially when I'm testing things
> results when parsed by logsurfer.
> My tool does two things logger doesn't - (1) it trims off the existing
> timestamps from the input before logging it, and more interestingly, (2)
> can parse those timestamps and replay the log messages at the same rate
> that they were originally logged.  Or you can tell it to "time warp"
> and play the messages back 2x 3x, 1/5x as fast, etc.  This is why it's
> good for testing logsurfer files, since you can test whether your
> timeouts work.
> I have to spruce it up slightly (get rid of the XXX comments :-) before
> I release it, will do so Real Soon.

OK, here it is, as an attachment.  With perldoc documentation, too.  One
possible bug not mentioned in the doc is that sleeping between
messages to simulate the original delivery times seems to be getting
rounded to the nearest second, a problem I thought using Time::HiRes
would fix, but could conceivably be limited to my local environment.

If anyone uses this, please let me know what you think.  It's still
in the beta stage, but since it's only a tool for testing rather
than production, that should be sufficient for most purposes :-)

	-- Ed

Content-Type: application/x-perl
Content-Disposition: attachment; filename="relogger.pl"
Content-Transfer-Encoding: quoted-printable

#!/usr/local/bin/perl -w=0A=0A# take syslog messages from stdin - push them=
 through syslog again=0Amy $usage=3D=0A  "relogger.pl [--facility fac] [--p=
riority pri] [--replayspeed factor]\n";=0A=0Ause strict;=0Ause Sys::Syslog =
qw(:DEFAULT setlogsock);=0Ause Getopt::Long;=0A=0Ause Date::Parse;  # for s=
tr2time=0Ause Time::HiRes qw ( sleep );=0A=0Amy %opt;=0Adie $usage unless=
=0A	GetOptions (\%opt, "debug", "facility=3Ds", "priority=3Ds", "replayspee=
d=3Ds");=0A=0Asetlogsock('unix')=0A        if grep /^ $^O $/xo, ("linux", "=
openbsd", "freebsd", "netbsd");=0A=0Amy $facility=3D    $opt{'facility'} ||=
 "mail";=0Amy $priority=3D    $opt{'priority'} || "info";=0Amy $replayspeed=
=3D $opt{'replayspeed'} || 0;=0Amy $debug=3D       $opt{'debug'} || 0;=0A=
=0Adie "$0: Option 'replayspeed' must be a valid floating point number\n"=
=0A	unless $replayspeed =3D~ /^[0-9]*\.?[0-9]*$/;=0Amy $progname=3D "";=0A=
=0A# Aug  5 20:28:17 grand-central postfix/qmgr[4389]: AC2BB7F9A: removed=
=0A#			my $thistime=3D str2time($date);=0A#			warn "$0: cannot parse date '=
$date'\n" if !$thistime;=0A=0Amy $lasttimestamp=3D 0;=0Amy $timestamp;=0Amy=
 $timestep=3D 0;=0A=0Awhile(<>)=0A{=0A    if ( ((my ($timestr, $process, $m=
sg))=3D  /^(.*) \S+ ([^ []*)\[\d+\]: (.*)$/ ) =3D=3D 3)=0A    {=0A	$timesta=
mp=3D str2time($timestr) ||=0A		warn "$0: cannot parse timestamp '$timestr'=
\n";=0A        if ($progname ne $process)=0A        {=0A	    closelog;=0A  =
          openlog "$process", 'ndelay,pid', $facility or die "$0: openlog: =
$!\n";=0A            $progname=3D $process;=0A        }=0A    =0A	$timestep=
=3D $timestamp - $lasttimestamp;=0A	if ($replayspeed and $timestep > 0 and =
$lasttimestamp > 0)=0A	{=0A		warn "sleeping for " . $timestep * $replayspee=
d . " seconds...\n" if $debug;=0A		sleep( $timestep * $replayspeed);=0A	}=
=0A=0A        syslog $priority, "%s", $msg unless $debug;=0A		warn "$proces=
s $facility/$priority $msg\n" if $debug;=0A	$lasttimestamp=3D $timestamp;=
=0A    }=0A	else=0A	{=0A		warn "$0: cannot parse input line $.: $_\n";=0A	}=
=0A}=0A=0A=0A__END__=0A=0A=3Dhead1 NAME=0A=0Arelogger.pl - re-inject syslog=
 log files back into syslog=0A=0A=3Dhead1 SYNOPSIS=0A=0AB<relogger.pl> [I<-=
-facility fac>] [I<--priority pri>] [I<--replayspeed factor>] [I<--debug]>]=
=0A=0A=3Dhead1 DESCRIPTION=0A=0AB<relogger.pl> takes syslog-formatted messa=
ges on standard input and re-sends=0Athem via the default syslog mechanism.=
  The existing timestamps are stripped=0Aoff the message before it is re-se=
nt.  Delays between messages can be enabled=0Awith the I<--replayseed> opti=
on (see B<OPTIONS> below to simulate the=0Aarrival times of the original me=
ssages.=0A=0A<relogger.pl> was written to help test configurations for prog=
rams=0Alike B<logsurfer> or B<swatch> that parse log output and take=0Aacti=
ons based on what messages appear in the logs.=0A=0A=3Dhead1 OPTIONS=0A=0A=
=3Ditem B<--facility> I<fac> specify the syslog facility to log the message=
s=0Ato.  Standard syslog messages do not store the facility the message was=
=0Alogged on, so this cannot be determined from the input.  The default is =
the=0AB<mail> facility.=0A=0A=3Ditem B<--priority> I<pri> specify the syslo=
g priority to log the messages=0Ato.  The default is the B<info> priority. =
 As with B<--facility>, this=0Ainformation cannot be discovered from the in=
put.=0A=0A=3Ditem B<--replayspeed> I<factor> attempt to parse the timestamp=
s=0Aof the input messages, and simulate the original arrival times by sleep=
ing=0Abetween each message.  The sleep time is multiplied by I<factor>.  To=
 send=0Asimulated log events with time spacing at the same time as the orig=
inal=0Aarrival times, use a I<factor> of 1.  To send simulated log events a=
t twice=0Athe speed of the original logs, use a I<factor> of 0.5 (i.e. slee=
p only=0Ahalf the original time between log messages).=0A=0A=3Ditem B<--deb=
ug> send all output to standard error, rather than to syslog.=0AAlso prints=
 an extra diagnostic message or two.=0A=0A=3Dhead1 BUGS=0A=0AIt would be ni=
ce to be able to specify the input filename on the command=0Aline, instead =
of requiring it to be on standard input.=0A=0AIt would be nice to be able t=
o control the syslog mechanism on the=0Acommand line (i.e. specify whether =
to use a local or remote host)=0Arather than just using the system default.=
=0A=0AThe original PID in the message is replaced by the current PID of=0AB=
<relogger.pl> in the simulated message.  Also, the PID of B<relogger.pl>=0A=
will appear in the simulated message even if the original one did not=0Asup=
ply a PID.=0A=0A=3Dhead1 AUTHOR=0A=0AB<relogger.pl> was written by Ed Ravin=
 <eravin@panix.com>, and is made=0Aavailable to the public by courtesy of P=
ANIX (http://www.panix.com).=0AThis script is licensed under the GPL.  B<re=
logger.pl> requires the=0ADate::Parse and the Time::HiRes Perl modules.=0A=