[syslog-ng] re-inserting syslog messages for testing

Ed Ravin syslog-ng@lists.balabit.hu
Mon, 31 Jan 2005 01:30:39 -0500 

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Jan 30, 2005 at 09:42:16AM +0100, Balazs Scheidler wrote:
> On Fri, 2005-01-28 at 01:04 -0500, Ed Ravin wrote:
> > On Tue, Jan 18, 2005 at 11:29:07AM -0500, Ed Ravin wrote:
> > > I've written a perl script that takes as input a file with syslog
> > > I use this for test environments, especially when I'm testing things
> > > results when parsed by logsurfer.
> > > 
> > > My tool does two things logger doesn't - (1) it trims off the existing
> > > timestamps from the input before logging it, and more interestingly, (2)
> > > can parse those timestamps and replay the log messages at the same rate
> > > that they were originally logged.  Or you can tell it to "time warp"
> > > and play the messages back 2x 3x, 1/5x as fast, etc.  This is why it's
> > > good for testing logsurfer files, since you can test whether your
> > > timeouts work.
...
> I'd like to include this script in the syslog-ng tarball within the
> contrib directory if you don't mind, though you should add a copyright
> and license header to the beginning of the file. (I know it is at the
> end of the documentation but that's not visible enough)

Done.  I also updated the bugs list with the caveats mentioned in the
previous message.  See attached.

--pf9I7BMVVzbSWLtt
Content-Type: application/x-perl
Content-Disposition: attachment; filename="relogger.pl"
Content-Transfer-Encoding: quoted-printable

#!/usr/local/bin/perl -w=0A=0A# take syslog messages from stdin - push them=
 through syslog again=0A=0A# by Ed Ravin <eravin@panix.com>.  Made availabl=
e to the=0A# public courtesy of PANIX (http://www.panix.com).=0A# This scri=
pt is licensed under the GPL.=0A# Requires Date::Parse and Time::HiRes modu=
les=0A=0A=0Amy $usage=3D=0A  "relogger.pl [--facility fac] [--priority pri]=
 [--replayspeed factor]\n";=0A=0Ause strict;=0Ause Sys::Syslog qw(:DEFAULT =
setlogsock);=0Ause Getopt::Long;=0A=0Ause Date::Parse;  # for str2time=0Aus=
e Time::HiRes qw ( sleep );=0A=0Amy %opt;=0Adie $usage unless=0A	GetOptions=
 (\%opt, "debug", "facility=3Ds", "priority=3Ds", "replayspeed=3Ds");=0A=0A=
setlogsock('unix')=0A        if grep /^ $^O $/xo, ("linux", "openbsd", "fre=
ebsd", "netbsd");=0A=0Amy $facility=3D    $opt{'facility'} || "mail";=0Amy =
$priority=3D    $opt{'priority'} || "info";=0Amy $replayspeed=3D $opt{'repl=
ayspeed'} || 0;=0Amy $debug=3D       $opt{'debug'} || 0;=0A=0Adie "$0: Opti=
on 'replayspeed' must be a valid floating point number\n"=0A	unless $replay=
speed =3D~ /^[0-9]*\.?[0-9]*$/;=0Amy $progname=3D "";=0A=0A# Aug  5 20:28:1=
7 grand-central postfix/qmgr[4389]: AC2BB7F9A: removed=0A#			my $thistime=
=3D str2time($date);=0A#			warn "$0: cannot parse date '$date'\n" if !$this=
time;=0A=0Amy $lasttimestamp=3D 0;=0Amy $timestamp;=0Amy $timestep=3D 0;=0A=
=0Awhile(<>)=0A{=0A    if ( ((my ($timestr, $process, $msg))=3D  /^(.*) \S+=
 ([^ []*)\[\d+\]: (.*)$/ ) =3D=3D 3)=0A    {=0A	$timestamp=3D str2time($tim=
estr) ||=0A		warn "$0: cannot parse timestamp '$timestr'\n";=0A        if (=
$progname ne $process)=0A        {=0A	    closelog;=0A            openlog "=
$process", 'ndelay,pid', $facility or die "$0: openlog: $!\n";=0A          =
  $progname=3D $process;=0A        }=0A    =0A	$timestep=3D $timestamp - $l=
asttimestamp;=0A	if ($replayspeed and $timestep > 0 and $lasttimestamp > 0)=
=0A	{=0A		warn "sleeping for " . $timestep * $replayspeed . " seconds...\n"=
 if $debug;=0A		sleep( $timestep * $replayspeed);=0A	}=0A=0A        syslog =
$priority, "%s", $msg unless $debug;=0A		warn "$process $facility/$priority=
 $msg\n" if $debug;=0A	$lasttimestamp=3D $timestamp;=0A    }=0A	else=0A	{=
=0A		warn "$0: cannot parse input line $.: $_\n";=0A	}=0A}=0A=0A=0A__END__=
=0A=0A=3Dhead1 NAME=0A=0Arelogger.pl - re-inject syslog log files back into=
 syslog=0A=0A=3Dhead1 SYNOPSIS=0A=0AB<relogger.pl> [I<--facility fac>] [I<-=
-priority pri>] [I<--replayspeed factor>] [I<--debug]>]=0A=0A=3Dhead1 DESCR=
IPTION=0A=0AB<relogger.pl> takes syslog-formatted messages on standard inpu=
t and re-sends=0Athem via the default syslog mechanism.  The existing times=
tamps are stripped=0Aoff the message before it is re-sent.  Delays between =
messages can be enabled=0Awith the I<--replayseed> option (see B<OPTIONS> b=
elow to simulate the=0Aarrival times of the original messages.=0A=0A<relogg=
er.pl> was written to help test configurations for programs=0Alike B<logsur=
fer> or B<swatch> that parse log output and take=0Aactions based on what me=
ssages appear in the logs.=0A=0A=3Dhead1 OPTIONS=0A=0A=3Ditem B<--facility>=
 I<fac> specify the syslog facility to log the messages=0Ato.  Standard sys=
log messages do not store the facility the message was=0Alogged on, so this=
 cannot be determined from the input.  The default is the=0AB<mail> facilit=
y.=0A=0A=3Ditem B<--priority> I<pri> specify the syslog priority to log the=
 messages=0Ato.  The default is the B<info> priority.  As with B<--facility=
>, this=0Ainformation cannot be discovered from the input.=0A=0A=3Ditem B<-=
-replayspeed> I<factor> attempt to parse the timestamps=0Aof the input mess=
ages, and simulate the original arrival times by sleeping=0Abetween each me=
ssage.  The sleep time is multiplied by I<factor>.  To send=0Asimulated log=
 events with time spacing at the same time as the original=0Aarrival times,=
 use a I<factor> of 1.  To send simulated log events at twice=0Athe speed o=
f the original logs, use a I<factor> of 0.5 (i.e. sleep only=0Ahalf the ori=
ginal time between log messages).=0A=0A=3Ditem B<--debug> send all output t=
o standard error, rather than to syslog.=0AAlso prints an extra diagnostic =
message or two.=0A=0A=3Dhead1 BUGS=0A=0AB<relogger.pl> is a beta-quality to=
ol for testing logging configurations.=0AIt is not yet recommended for prod=
uction use.=0A=0AIt would be nice to be able to specify the input filename =
on the command=0Aline, instead of requiring it to be on standard input.=0A=
=0AIt would be nice to be able to control the syslog mechanism on the=0Acom=
mand line (i.e. specify whether to use a local or remote host)=0Arather tha=
n just using the system default.=0A=0AThe original PID in the message is re=
placed by the current PID of=0AB<relogger.pl> in the simulated message.  Al=
so, the PID of B<relogger.pl>=0Awill appear in the simulated message even i=
f the original one did not=0Asupply a PID.=0A=0AIn spite of using Time::HiR=
es to enable sleeping in fractional seconds,=0Asome environments seem to st=
ill round off to seconds.  This needs a bit=0Amore investigation.=0A=0A=3Dh=
ead1 AUTHOR=0A=0AB<relogger.pl> was written by Ed Ravin <eravin@panix.com>,=
 and is made=0Aavailable to the public by courtesy of PANIX (http://www.pan=
ix.com).=0AThis script is licensed under the GPL.  B<relogger.pl> requires =
the=0ADate::Parse and the Time::HiRes Perl modules.=0A=0A
--pf9I7BMVVzbSWLtt--