[syslog-ng] Bazsi's blog: syslog-ng flexibility improvements

Thu Feb 2 17:31:51 CET 2012

When can we expect the "junction" functionality in a release?
3.4? 3.5?

Evan.

Balazs Scheidler wrote:
> On Wed, 2012-01-18 at 12:29 -0500, Patrick Hemmer wrote:
>> Sent: Wed Jan 18 2012 12:11:10 GMT-0500 (EST)
>> From: Balazs Scheidler <bazsi at balabit.hu>
>> To: Syslog-ng users' and developers' mailing list 
>> <syslog-ng at lists.balabit.hu>
>> Subject: Re: [syslog-ng] Bazsi's blog: syslog-ng flexibility improvements
>>> On Mon, 2012-01-16 at 12:45 -0800, Evan Rempel wrote:
>>>> Balazs Scheidler wrote:
>>>>> On Mon, 2012-01-16 at 09:22 -0500, Patrick Hemmer wrote:
>>>>>
>>>>>>> source s_apache {
>>>>>>>    log {
>>>>>>>      source { file("/var/log/apache/error.log"); };
>>>>>>>      parser(p_apache_parser); };
>>>>>>>    };
>>>>>>> };
>>>>>>>
>>>>>>> log { source(s_apache); ... };
>>>>>>>
>>>>>> This just doesnt feel right. I'm not quire sure how else to put it :-)
>>>>>> I mean that I think of `log` statements as output handlers for a
>>>>>> message. They control how the message leaves syslog-ng, whether it be
>>>>>> to a file, database, pipe, whatever. To me it seems to make more sense
>>>>>> if the `log` statement is called something else here (inside the
>>>>>> `source` block), though what I dont know. Maybe at the least an alias,
>>>>>> so that log and the alias are the exact same things, but that reading
>>>>>> the config would make it look more logical.
>>>>> Sure, I was also thinking hard what keywords to use in this case.
>>>>> Internally a log {} is called a "sequence", but sure an alias would be
>>>>> easy to do.
>>>>>
>>>>> Do you perhaps have a suggestion? I'm not a native English speaker, thus
>>>>> naming thing is sometimes difficult for me.
>>>> How about one of these
>>>>
>>>> pipe
>>>> stream
>>>> channel
>>>> conduit
>>>> tube
>>>> flow
>>>> spout
>>>> duct
>>>> chute
>>>>
>>>> I prefer one of
>>>>
>>>> channel
>>>> conduit
>>>> duct
>>>>
>>> Thanks for the names. I'd have to think about them a little bit more to
>>> get used to them though. I can't pick one right now, but I'd also like
>>> to change them for better readability.
>> The only additional ones that popped into my head were
>> trunk for log, and branch for junction *like this one
>> union for log, and variant for junction
> 
> After a long talk with Robi (who maintains our documentation), Algernon,
> CzP and the internal syslog-ng team we decided to use one of the
> proposed "channel" in place of "log" as an alias, and left "junction"
> alone.
> 
> This means that the preferred form of source-specific manipulation looks
> like this:
> 
> source s_all {
> 	channel {
> 		source { file("/var/log/foo.log"); };
> 		rewrite { set("foobar" value("FOOVALUE")); };
> 	}
> };
> 
> And similarly in all constructs. Right now channel is equvalent to using
> "log", e.g. embedded log statements can also use either "log" or
> "channel". Top-level log statements are still required to use "log"
> though.
> 
> This is the patch that implements this:
> 
> commit 017e73227752fc0867946ceb84cbfdd074740d78
> Author: Balazs Scheidler <bazsi at balabit.hu>
> Date:   Tue Jan 31 15:44:21 2012 +0100
> 
>     configuration: make the "channel" keyword equivalent to "log" in log expressions
>     
>     Following a discussion on the syslog-ng mailing list, the "log" keyword
>     can be odd when being used as a part of a source/destination/rewrite/parser
>     rule. After a lot of debate, the "channel" keyword was chosen.
>     
>     Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>
> 
> 
> 

-- 
Evan Rempel                               erempel at uvic.ca
Senior Systems Administrator                 250.721.7691
Unix Services, University Systems, University of Victoria