[syslog-ng] Severity/Pri/Level

Paul Muther dalamars at gmail.com
Wed Jul 20 23:32:13 CEST 2011 

Hi Bazsi,

I hadn't thought of doing it that way.  :)

So with this solution I define a template for each program/severity level I need and then use filters and parsers to find the entries for each template to apply to?  

Thanks,
PM

On Jul 19, 2011, at 8:34 AM, Balazs Scheidler wrote:

> On Tue, 2011-07-05 at 11:03 +0200, Gergely Nagy wrote:
>> Hi!
>> 
>> Paul Muther <dalamars at gmail.com> writes:
>> 
>>> Just joined the list.  I was wondering if there was a method to
>>> rewrite the severity of an event based on the text of the entry?  I
>>> know I can use regex to read the message but from what I have seen I
>>> can't set the severity level of an event.  In reading posts it would
>>> appear it was a feature under consideration in the past.
>> 
>> Sorry for the late reply, hope it's still relevant!
>> 
>> According to the documentation[0], the FACILITY, SEVERITY, TAGS and the
>> date related fields cannot be rewritten.
>> 
>> However, there might be a workaround: catch the messages you want to
>> rewrite, pipe them to a program that calls logger (with the appropriate
>> facility & severity), and bingo. The only thing you need to pay
>> attention is to avoid a loop: that's best done with using logger -u, and
>> using a separate source for these rewritten logs.
>> 
>> 0: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/modifying-messages.html
>> 
> 
> Writing to non-string properties (like FACILITY) is on my list of things
> I'd like to do, but no time so far.
> 
> There's a simpler solution though: use a template which simply uses a
> fixed PRI value instead of using the $PRI macro.
> 
> e.g. 
> 
> template("<5>$DATE $HOST $MSGHDR$MSG\n");
> 
> This would send out kern.err instead of the PRI value of the original
> message.
> 
> The value to use within <> can be calculated by: (facility * 8 +
> severity), and the values can be looked up in /usr/include/syslog.h or
> RFC3164.
> 
> -- 
> Bazsi
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list