[syslog-ng] Can TAG field be terminated by space?

Evan Rempel erempel at uvic.ca
Sun Dec 30 17:22:34 CET 2007 

Balazs Scheidler wrote:

>>Wow, this is a can of worms.
>>
>>If I use a template of
>>
>>$PRI $DATE $HOST $FACILITY.$PRIORITY $PROGRAM: $MSGONLY
>>
>>it should recreate the entire syslog message, but it will not.
>>The information inside of the [xxx] of the program will be
>>dropped (or will it be part of the MSGONLY?
> 
> 
> No, but if you used:
> 
> $PRI $DATE $HOST $FACILITY.$PRIORITY $MSG
> 
> This will contain all of program/pid and message in its original
> formatting.
> 
> 
>>If you want to exclude the [xxx] from the PROGRAM macro then I think
>>that a new macro is required that will contain the [xxx] component.
>>Perhaps INSTANCE or IDENTIFIER or UNIQUE. 
> 
> 
> There's a macro called $PID, but it is not always set as the pid part is
> optional.
> 
> 
>>I don't have the RFC
>>in front of me, but using the terminology that the RFC uses
>>would be good. The I can write a template of
>>
>>$PRI $DATE $HOST $FACILITY.$PRIORITY $PROGRAM[$INSTANCE]: $MSGONLY
>>
>>to recreate the syslog record.
>>
>>An what about if the INSTANCE is not present in the record....
> 
> 
> $MSG ?
> 
> 
>>Perhaps we need a conditional template? Currently two
>>destinations with the same endpoint, that use different templates
>>and different filters can be used to accomplish this, but it
>>gets convoluted very quickly.
> 
> 
> I don't want to complicate templates() even further. $MSG does the trick
> IMHO.

MSG is not sufficient because it forces the message, program and PID to be controlled
as one piece. My example of recreating the original syslog record was overly simplistic
and can be accomplished as you indicate with the MSG expansion.

I had forgotten about PID which seems appropriate, PROVIDED it is not required to be numeric.
We have a few applications that use the text between the [] as an instance name
and is made up of letters and numbers.

All of the more complicated examples I can think of are for data mining purposes
and as such go through an external program that places the syslog data into a storage
engine (database). In all of these cases, external parsing of the program[pid] can
be done. IMHO it would be cleaner to parse the message in syslog-ng to create an output
stream that has all of the message pieces broken apart

DATE HOST FACILITY PRIORITY PROGRAM PID MSGONLY

and this seems to have been addressed by the PID, with the one caveate that it must accept
non-numeric data.

Thanks for jogging my memory.

Evan.

More information about the syslog-ng mailing list