[syslog-ng] Change the facility or the priority of a syslog message ?

Ilas, Yann yann.ilas at eads.com
Thu Apr 1 17:55:20 CEST 2010 

Hello,

I'm using the syslog-ng application version 3.1.0. I would like to change
the severity and/or the facility of an event.

Here is the configuration for this test :

template t_format {
        template ("$YEAR-$MONTH-$DAY
$HOUR:$MIN:$SEC;$HOST;$FACILITY;$PRIORITY;$PROGRAM;$MSG\n");
};

source s_local_test {
        unix-stream("/dev/log");
};

destination d_test {
        file ( "/tmp/test"
                template (t_format)
        );
};

rewrite r_rewrite_set {
        set (
                "my_program"
                value("PROGRAM")
        );
};

log {
        source (s_local_test);
        rewrite (r_rewrite_set);
        destination (d_test);
};


I generated a message by using "logger" :
# logger -i -p local0.info  "Test Message : ABCDEFGHIJKLMNOPQRST ## $(date)
##"

=> /tmp/test:
2010-04-01 15:12:14;pc-dev.dom;local0;info;MY_PROGRAM;Test Message :
ABCDEFGHIJKLMNOPQRST ## jeu avr  1 15:12:14 CEST 2010 ##

Ok, I can change the PROGRAM name... :-)

...So I changed the rule "r_rewrite_set" to modify the value to "facility" :

rewrite r_rewrite_set {
        set (
                "local4"
                value("FACILITY")
        );
};

And when I restarted the syslog-ng, I had the following errors :

# /etc/init.d/syslog-ng restart
Macros are read-only, they cannot be changed in rewrite rules, falling back
to MESSAGE instead; macro='FACILITY'
Restarting syslog-ng: Stopping syslog-ng:                  [  OK  ]
Starting syslog-ng: Macros are read-only, they cannot be changed in rewrite
rules, falling back to MESSAGE instead; macro='FACILITY'
                                                           [  OK  ]

I have the same error when I changed the "PRIORITY" of the rule
"r_rewrite_set" :
> Macros are read-only, they cannot be changed in rewrite rules, falling
back to MESSAGE instead; macro='PRIORITY'

I tried to send a message by using "logger" but as it written in the above
error, the MESSAGE was changed... :-(

My questions are :
   1. Which macros are read-only ? PRIORITY, FACILITY, another ?
   2. Is there a way to change the facility or the priority of an event ?
   3. If not, why can't I change the facility or the priority ? 

Regards,

Yann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100401/e1d7a7fa/attachment.htm

More information about the syslog-ng mailing list