[syslog-ng] setting facility/level of source log messages ?
Balazs Scheidler
bazsi at balabit.hu
Wed Mar 11 08:20:03 CET 2009
On Tue, 2009-03-10 at 22:51 +0100, Balazs Scheidler wrote:
> On Wed, 2009-03-04 at 14:26 +0100, Xavier Lapie wrote:
> > On Wed, Mar 04, 2009 at 10:19:55AM +0100, Balazs Scheidler wrote:
> > > Hi,
> > >
> > > Thanks for your contribution, it is really appreciated. However as I
> > > said the 3.0 branch already has a less general solution to the same
> > > problem. Could you update your patch against 3.0, making the file
> > > specific options LogReader specific?
> >
> > Hi,
> >
> > I hope this version is ok for your 3.0 branch.
>
> I have added this functionality, but I'm afraid I basically rewrote your
> patch completely. Instead of using a separate fake_facility/fake_level
> keywords, I used the already existing facility/level options. Also, I
> have changed the behaviour slightly which covers your case but also fits
> to the syslog-ng model a bit better:
>
> instead of overwrite the facility/level value, the user can specify the
> default facility/level values, and it gets used when the message does
> not specify one (e.g. no-parse, or a message without a proper fac/level
> value)
>
> So from now on, it is possible to do things like:
>
> source aaa { udp(facility(syslog) level(emerg)); };
>
> And if the message does not have a proper syslog header containing the
> above values, it'll use the ones specified in the configuration file.
>
> Now as I think of it, it might be better to really use a separate
> keyword for this, e.g. default-facility() and default-level()
>
> Any opinions?
Hmm.. I was thinking about this feature a bit more, and it occurred to
me that it would be possible to implement this also as a rewrite
function, e.g.
source src { ... };
rewrite r_fac { set("syslog" value("FACILITY")); set("crit" value("LEVEL")); };
I'm not sure that we need both features:
* to specify the default priority value for any kind of log source
* to make it possible to rewrite the value
I find the 2nd more general. What do you all think?
--
Bazsi
More information about the syslog-ng
mailing list