[syslog-ng] kernel logging feature requests
Gergely Nagy
algernon at balabit.hu
Wed Sep 21 21:15:28 CEST 2011
"Patrick H." <syslogng at feystorm.net> writes:
>> I was pondering about how to do this properly. On one hand, extracting
>> the timestamp from the message is easy with patterndb. But converting it
>> to a proper date is a harder task that way (off the top of my head, that
>> would require a way to figure out the bootup time, preferably once only;
>> and a way to format an arbitrary timestamp to a date).
>>
>> Another solution would be to add a flag(parse-kernel-uptime) flag or
>> similar, and implement support for it directly in syslog-ng. This would
>> override the $DATE macros.
>>
>> There's probably other ways to do this, perhaps even easier and more
>> convenient ways. Any other ideas?
>
> Well I think you'd have to calculate this on every message
> received. If you do something just once like what time the system
> booted, if the system time changes, then values calculated off that
> will be inaccurate.
Hrm, true. I didn't consider moving time.
> Also I question if we need a separate flag. If we just use the
> pre-existing 'kernel' flag, we can assign the calculated time to the
> S_ macros (S_HOUR, S_DATE, etc), and then have R_ macros be the time
> it was read off the line.
Oh, we have a kernel flag? O:)
Then we can reuse that, yes. I'll see if I can come up with something
over the weekend or so.
>>>> 2) I grab all kernel messages with priority of crit or higher and send
>>>> it to the usertty() destination, but this destination doesnt support
>>>> templates. It'd be nice to be able to define the template. I mostly
>>>> just want to change the time format and remove the hostname (since
>>>> these will only come from localhost on my setup).
>> [...]
>>
>>> Anyone volunteering?
>> Unless someone beats me to it, I'll do it, when time permits. But it
>> would be better if someone else stepped up, it's an easy task, and I'll
>> gladly give pointers. You don't even have to know much C!
> I might have time to do this this weekend. I'm the on-call at work
> this week, so I'll be chained to my computer anyway. But I dont know.
> Seems like none of us can figure if we'll have time to do this or not
> :-). So if I do it, I'll just respond to this thread.
*cheers*
--
|8]
More information about the syslog-ng
mailing list