[syslog-ng] [RFC]: value-pairs()

Evan Rempel erempel at uvic.ca
Mon Jan 24 21:47:18 CET 2011 

Gergely Nagy wrote:
> Hi!
> 
> The idea of a generic framework to set up value pairs came up first
> during the afmongodb discussion (see Bazsi's ideas at
> http://article.gmane.org/gmane.comp.syslog-ng/10432), and while
> working on the tfjson driver, it came up again.
> 
> I've learnt a lot since the dynamic-variables implementation in
> afmongodb, and following Bazsi's comments on the list earlier, we
> managed to talk a little about the value-pairs() feature too. That,
> and another quick chat with Balint, followed by working on tfjson
> helped form the proposal below.
> 
> I'll divide this into two sections: the first part, mostly aimed at
> people using syslog-ng in production would be a request for comments
> regarding the syntax of the feature.
> 
> The Syntax
> ==========
> 
> value-pairs (
>   glob-select ("usracct.*")
>   glob-exclude ("*.*id")
>   builtins (no)
>   $HOST $MESSAGE
>   "program_n_pid" = "$PROGRAM[$PID]"
> )
> 

I would like to have the select/exclude take a style and an expression so that
the use of gnu regex could be used (if supported by syslog-ng) or perl regex
or glob. Perhaps only glob and perl regex are supported now but there may be
a faster regular expression tool that becomes available in the future that
could be added without breaking backwards compatibility.

Something of the format
value-pairs (
   select ( style="pcre" pattern="^usracct\." )
   select ( style="glob" pattern="useracct.*")


The use of $HOST or any other macro should always refer to the content of the macro,
so for the purpose of identifying macros by name, a syntax

    macro (HOST MESSAGE)

could be used. I think this is more intuitive than using the $HOST names.

Finally, each of these value-pairs definitions is of the form

   keyword ( arguments )

so for consistency I would suggest that defining custom keys should be done with something
of the format

   define ( "program_n_pid", "$PROGRAM[$PID]")

for complete orthogonal consistency this should be

   define ( macro="program_n_pid", value="$PROGRAM[$PID]")

but that may be a little bit of overkill.

Evan.

More information about the syslog-ng mailing list