[syslog-ng] Bazsi's blog: syslog-ng flexibility improvements

Thu Feb 2 14:37:18 CET 2012

On Wed, 2012-01-18 at 12:29 -0500, Patrick Hemmer wrote:
> Sent: Wed Jan 18 2012 12:11:10 GMT-0500 (EST)
> From: Balazs Scheidler <bazsi at balabit.hu>
> To: Syslog-ng users' and developers' mailing list 
> <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Bazsi's blog: syslog-ng flexibility improvements
> > On Mon, 2012-01-16 at 12:45 -0800, Evan Rempel wrote:
> >> Balazs Scheidler wrote:
> >>> On Mon, 2012-01-16 at 09:22 -0500, Patrick Hemmer wrote:
> >>>
> >>>>> source s_apache {
> >>>>>    log {
> >>>>>      source { file("/var/log/apache/error.log"); };
> >>>>>      parser(p_apache_parser); };
> >>>>>    };
> >>>>> };
> >>>>>
> >>>>> log { source(s_apache); ... };
> >>>>>
> >>>> This just doesnt feel right. I'm not quire sure how else to put it :-)
> >>>> I mean that I think of `log` statements as output handlers for a
> >>>> message. They control how the message leaves syslog-ng, whether it be
> >>>> to a file, database, pipe, whatever. To me it seems to make more sense
> >>>> if the `log` statement is called something else here (inside the
> >>>> `source` block), though what I dont know. Maybe at the least an alias,
> >>>> so that log and the alias are the exact same things, but that reading
> >>>> the config would make it look more logical.
> >>> Sure, I was also thinking hard what keywords to use in this case.
> >>> Internally a log {} is called a "sequence", but sure an alias would be
> >>> easy to do.
> >>>
> >>> Do you perhaps have a suggestion? I'm not a native English speaker, thus
> >>> naming thing is sometimes difficult for me.
> >> How about one of these
> >>
> >> pipe
> >> stream
> >> channel
> >> conduit
> >> tube
> >> flow
> >> spout
> >> duct
> >> chute
> >>
> >> I prefer one of
> >>
> >> channel
> >> conduit
> >> duct
> >>
> > Thanks for the names. I'd have to think about them a little bit more to
> > get used to them though. I can't pick one right now, but I'd also like
> > to change them for better readability.
> The only additional ones that popped into my head were
> trunk for log, and branch for junction *like this one
> union for log, and variant for junction

After a long talk with Robi (who maintains our documentation), Algernon,
CzP and the internal syslog-ng team we decided to use one of the
proposed "channel" in place of "log" as an alias, and left "junction"
alone.

This means that the preferred form of source-specific manipulation looks
like this:

source s_all {
	channel {
		source { file("/var/log/foo.log"); };
		rewrite { set("foobar" value("FOOVALUE")); };
	}
};

And similarly in all constructs. Right now channel is equvalent to using
"log", e.g. embedded log statements can also use either "log" or
"channel". Top-level log statements are still required to use "log"
though.

This is the patch that implements this:

commit 017e73227752fc0867946ceb84cbfdd074740d78
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Tue Jan 31 15:44:21 2012 +0100

    configuration: make the "channel" keyword equivalent to "log" in log expressions

    Following a discussion on the syslog-ng mailing list, the "log" keyword
    can be odd when being used as a part of a source/destination/rewrite/parser
    rule. After a lot of debate, the "channel" keyword was chosen.

    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>

-- 
Bazsi