[syslog-ng] Unable to set PRIORITY and LEVEL in rewrite
Siem Korteweg
Siem.Korteweg at qnh.nl
Mon Jun 29 16:22:59 CEST 2009
Hi,
with the central logging of syslog in place, I moved on to the file
/var/log/httpd/ssl_error_log to explore the syslog-ng (3.0.2-1 OSE on CentOS
5.3) capabilities with logfiles from other applications. The contents of this
file are rather straightforward:
[Wed Jun 24 12:14:49 2009] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Wed Jun 24 12:14:49 2009] [error] [client 192.168.3.178] PHP Notice:
Undefined offset: 2
I want to skip the date/time (assuming there is no delay before syslog-ng
processes the data) and to set the PRIORITY and LEVEL attributes to "warning"
and "err". The following config file (included in the main config) should do
the job.
source s_http_ssl_error {
file (
"/var/log/httpd/ssl_error_log"
flags(no-parse)
follow_freq(1)
);
};
# Split the message.
parser p_http_ssl_error {
csv-parser(
columns(
"HTTP.TIMESTAMP",
"HTTP.SEVERITY",
"HTTP.MSG"
# Match the remainder of the message (greedy).
)
delimiters( " " )
flags( greedy,
escape-double-char, strip-whitespace )
quote-pairs( '""[]' )
);
};
filter f_http_ssl_error_warn{ match( "warn" value( "HTTP.SEVERITY" ) ); };
rewrite r_http_ssl_error_warn{
set( "warning" value( "LEVEL" ) );
set( "warning" value( "PRIORITY" ) );
};
filter f_http_ssl_error_error{ match( "error" value( "HTTP.SEVERITY" ) ); };
rewrite r_http_ssl_error_error{
set( "err" value( "LEVEL" ) );
set( "err" value( "PRIORITY" ) );
};
# Eliminate the severity as soon as PRIORITY and LEVEL are set!
# Set the attribute program to "http_ssl_error".
template t_http_ssl_error{ template( "http_ssl_error ${HTTP.SEVERITY}
${HTTP.MSG}\n" ); };
# Send the message to the regular syslog in order to transfer it to the
syslog-ng collector.
destination d_http_ssl_error{
unix-dgram( "/dev/log"
template( t_http_ssl_error )
);
};
# Handle the warnings.
log {
source( s_http_ssl_error );
parser( p_http_ssl_error );
filter( f_http_ssl_error_warn );
rewrite( r_http_ssl_error_warn );
destination( d_http_ssl_error );
flags( final );
};
# Handle the errors.
log {
source( s_http_ssl_error );
parser( p_http_ssl_error );
filter( f_http_ssl_error_error );
rewrite( r_http_ssl_error_error );
destination( d_http_ssl_error );
flags( final );
};
# Handle the other messages.
log {
source( s_http_ssl_error );
parser( p_http_ssl_error );
destination( d_http_ssl_error );
};
Inserting [warn], [error] and [other] lines in the logfile, results in the
proper number of syslog-ng messages with the desired MSG-contents. However,
the priority and level attributes are unchanged ("notice"). What is wrong?
kind regards,
Siem Korteweg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090629/a449ba21/attachment.htm
More information about the syslog-ng
mailing list