[syslog-ng] setting facility/level of source log messages ?

Balazs Scheidler bazsi at balabit.hu
Tue Mar 10 22:51:16 CET 2009


On Wed, 2009-03-04 at 14:26 +0100, Xavier Lapie wrote:
> On Wed, Mar 04, 2009 at 10:19:55AM +0100, Balazs Scheidler wrote:
> > Hi,
> > 
> > Thanks for your contribution, it is really appreciated. However as I
> > said the 3.0 branch already has a less general solution to the same
> > problem. Could you update your patch against 3.0, making the file
> > specific options LogReader specific?
> 
> Hi,
> 
> I hope this version is ok for your 3.0 branch.

I have added this functionality, but I'm afraid I basically rewrote your
patch completely. Instead of using a separate fake_facility/fake_level
keywords, I used the already existing facility/level options. Also, I
have changed the behaviour slightly which covers your case but also fits
to the syslog-ng model a bit better:

instead of overwrite the facility/level value, the user can specify the
default facility/level values, and it gets used when the message does
not specify one (e.g. no-parse, or a message without a proper fac/level
value)

So from now on, it is possible to do things like:

source aaa { udp(facility(syslog) level(emerg)); };

And if the message does not have a proper syslog header containing the
above values, it'll use the ones specified in the configuration file.

Now as I think of it, it might be better to really use a separate
keyword for this, e.g. default-facility() and default-level()

Any opinions?

The patch in its current form can be found here:

http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commit;h=2bddf91e2dc3b1f590f3cff2f735cb6ccd5531a7

Tomorrow's nightly snapshot should contain it.

-- 
Bazsi




More information about the syslog-ng mailing list