[syslog-ng] Severity/Pri/Level

[Balazs Scheidler]

On Tue, 2011-07-05 at 11:03 +0200, Gergely Nagy wrote:
> Hi!
> 
> Paul Muther <dalamars at gmail.com> writes:
> 
> > Just joined the list.  I was wondering if there was a method to
> > rewrite the severity of an event based on the text of the entry?  I
> > know I can use regex to read the message but from what I have seen I
> > can't set the severity level of an event.  In reading posts it would
> > appear it was a feature under consideration in the past.
> 
> Sorry for the late reply, hope it's still relevant!
> 
> According to the documentation[0], the FACILITY, SEVERITY, TAGS and the
> date related fields cannot be rewritten.
> 
> However, there might be a workaround: catch the messages you want to
> rewrite, pipe them to a program that calls logger (with the appropriate
> facility & severity), and bingo. The only thing you need to pay
> attention is to avoid a loop: that's best done with using logger -u, and
> using a separate source for these rewritten logs.
> 
>  0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/modifying-messages.html
> 

Writing to non-string properties (like FACILITY) is on my list of things
I'd like to do, but no time so far.

There's a simpler solution though: use a template which simply uses a
fixed PRI value instead of using the $PRI macro.

e.g. 

template("<5>$DATE $HOST $MSGHDR$MSG\n");

This would send out kern.err instead of the PRI value of the original
message.

The value to use within <> can be calculated by: (facility * 8 +
severity), and the values can be looked up in /usr/include/syslog.h or
RFC3164.

-- 
Bazsi