[syslog-ng] syslog-ng OSE 3.2 Administrator Guide - beta

Balazs Scheidler bazsi at balabit.hu
Sun Nov 14 13:52:50 CET 2010 

Hi,

On Tue, 2010-11-02 at 13:15 +0100, Fekete Robert wrote:
> Hi,
> I have released a beta version of the new administrator guide. I have updated it 
> to cover (hopefully) every important change and feature in 3.2beta, but it still 
> needs a review. So if something isn't working as written, is missing, or 
> contains errors, please let me know.
> 
> You can find a summary of new sections here:
> http://robert.blogs.balabit.com/2010/11/syslog-ng-open-source-edition-3-2-administrator-guide-draft/
> 

Some notes
==========

1) global variables

it should probably be noted that in the syntax:

@define name "value"

the value portion is a string as defined by the syslog-ng parser, which
has the following 3 possible formats:

  * without quotes as long as there's no space inside and no special
characters are used (basically [a-zA-Z0-9_.])
  * with apostrophes in which case no embedded quotes are possible
  * with quotes in which case normal '\' escaping works

2) blocks

I'd like to note that the enclosing braces are not part of the block
itself. So if you have a block that defines a source for a specific
application:

block source myappsource() { 
                file("/opt/var/myapplication.log" follow_freq(1) default-facility(syslog)); };

Then this can be referenced like this in a source {} statement:

source s_local { myappsource(); };

Also I don't see a description of block arguments. At least an empty 
argument list is mandatory. (note the parentheses after myappsource() 
above). These are missing from the docs too.

3) process accounting

The prefix used is ".pacct." not "pacct_", e.g. the fields are named this way:
".pacct.ac_comm"

4) system() driver

seems to be ok to me. maybe a mention of the default configuration file should be added though.

5) comparison operators in filter statements

this example is not correct: "$HOST" eq "myhost" is equivalent to using host("myhost").

it'd be: host("myhost" type(string))

6) template functions

not just double quotes can be used. apostrophes also work.

7) conditional rewrites

ok.

8) correllation

I somewhat miss the '@distance' macro modifier. I've found it at the end of 
the <action> description, but please note that it can be used also on the 
<values> section of a patterndb rule, not just in the actions section.

9) patterndb v4 format

ok.

10) strace stuff

ok.

maybe a note about attaching to a running syslog-ng process using the -p option for strace/truss/tusc


-- 
Bazsi

More information about the syslog-ng mailing list