No subject


Sun Oct 3 12:43:47 CEST 2010 

"S_", then we explicitly include .SDATA.meta.sequenceId (though, in this
example, this is useless, as it's already included due to the scope, and
wasn't excluded). Then add a custom key-value pair. 

Syntax Details
--------------

The starting name-value pair set will be defined by the scope()
statement, which can have the following values:

        * nv_pairs: The name-value pair database, including some
        frequently used builtins (currently: HOST, HOST_FROM, MESSAGE,
        PROGRAM, PID, MSGID, SOURCE and LEGACY_MSGHDR)
        * rfc3164, alias core, alias base: The basic pairs from RFC3164:
        $FACILITY, $SEVERITY (= $LEVEL), $DATE(=$S_DATE), $HOST,
        $PROGRAM, $PID, and $MSG.
        * rfc5424, alias syslog: The pairs from rfc3164 plus $SDATA and
        $MSGID.
        * all_macros: All macros known to syslog-ng (including all of
        the above, pretty much)
        * selected_macros: rfc5424 + $TAGS, $SOURCEIP, $SEQNUM
        * everything: all of the above, combined

Each key is added to the set only once, naturally.

scope() was introduced as a replacement for builtins(), which was
unclear and inflexible. scope() does the job far better, and is - in my
opinion - a lot clearer too.

Apart from scope(), we have a few more statements:

        * select() / exclude(): We wanted to rename select() to
        include(), but syslog-ng already has an include() statement, and
        I ran into problems during the rename. It's undecided whether
        we'll remain with select() or adjust the parser to treat the two
        include statements differently (I'd opt for select()).
        
        The difference between the previous implementation's
        select()/exclude() is that in the new implementation, the first
        match will matter. This gets rid of the confusing priority
        stuff, and is still flexible enough (especially with the
        introduction of scope()) for all cases we could come up with.
        
        * key(): One can list macros with this statement. It does the
        same thing "$HOST" and friends did in the previous
        implementation, one just needs to use a statement this time, for
        clarity's sake.
        
        * pairs(): Same thing as the previous implementation's ("key"
        "value") construct.
        
Current shortcomings:

        * List separation: at the moment, list values need to be space
        separated, and the key-value pairs (see pairs()) need a space
        separator too.
        
        In the long run, we'd like to allow commas as separators too.
        
Another example
---------------

value-pairs(
  scope(selected_macros nv_pairs)
  select(.*)
  select("usracct.*")
  select("secevt.*")
  select(".SDATA.*")
  exclude("*")
  key("SEVERITY") key("HOST") key("PROGRAM") key("PID")
  key("MSG") key("TAGS")
  pair("timestamp" "$UNIXTIME")
);

This will start with a base set of selected_macros and nv_pairs, select
a few specified patterns, and exclude everything else. Then it will
explicitly add a few keys (which does not need to be part of the
original set!), and a custom key-value pair.

I hope this was understandable, and better than the previous proposal.

As soon as I start working on implementing this proposal, the code will
be available from the work/value-pairs/base branch of my git tree:

git://git.madhouse-project.org/syslog-ng/syslog-ng-3.3.git

(or browsable on the web at:
http://git.madhouse-project.org/syslog-ng/syslog-ng-3.3/log/?h=work/value-pairs/base)


And as always, Your feedback is most appreciated! Nothing is set in
stone yet, and I'd love to hear your opinion.

-- 
|8]

More information about the syslog-ng mailing list