[syslog-ng] kernel logging feature requests

Wed Sep 21 19:40:30 CEST 2011

Sent: Wed Sep 21 2011 09:33:40 GMT-0600 (MST)
From: Gergely Nagy <algernon at balabit.hu>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] kernel logging feature requests
> Balazs Scheidler<bazsi at balabit.hu>  writes:
>
>> On Fri, 2011-09-16 at 21:16 -0600, Patrick H. wrote:
>>> While setting up a new server at home I've come across 2 feature
>>> requests that would be fairly nice to have (and not that hard to
>>> implement I would think).
>>>
>>> 1) When the 'kernel' flag is set on a file() source (like for
>>> reading /proc/kmsg), look for the printk time (eg "[ 1234.567890]")
>>> and calculate when the message would have occurred instead of just
>>> using when the line was read off the file. Basically check to see the
>>> number of seconds the system has been up, subtract the printk time,
>>> and then subtract that from current time.
>> this would be useful, I agree.
> +1.
>
> I was pondering about how to do this properly. On one hand, extracting
> the timestamp from the message is easy with patterndb. But converting it
> to a proper date is a harder task that way (off the top of my head, that
> would require a way to figure out the bootup time, preferably once only;
> and a way to format an arbitrary timestamp to a date).
>
> Another solution would be to add a flag(parse-kernel-uptime) flag or
> similar, and implement support for it directly in syslog-ng. This would
> override the $DATE macros.
>
> There's probably other ways to do this, perhaps even easier and more
> convenient ways. Any other ideas?

Well I think you'd have to calculate this on every message received. If 
you do something just once like what time the system booted, if the 
system time changes, then values calculated off that will be inaccurate.
Also I question if we need a separate flag. If we just use the 
pre-existing 'kernel' flag, we can assign the calculated time to the S_ 
macros (S_HOUR, S_DATE, etc), and then have R_ macros be the time it was 
read off the line.

>>> 2) I grab all kernel messages with priority of crit or higher and send
>>> it to the usertty() destination, but this destination doesnt support
>>> templates. It'd be nice to be able to define the template. I mostly
>>> just want to change the time format and remove the hostname (since
>>> these will only come from localhost on my setup).
> [...]
>
>> Anyone volunteering?
> Unless someone beats me to it, I'll do it, when time permits. But it
> would be better if someone else stepped up, it's an easy task, and I'll
> gladly give pointers. You don't even have to know much C!
I might have time to do this this weekend. I'm the on-call at work this 
week, so I'll be chained to my computer anyway. But I dont know.
Seems like none of us can figure if we'll have time to do this or not 
:-). So if I do it, I'll just respond to this thread.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110921/e2783b62/attachment.htm 