[syslog-ng] Bazsi's blog: syslog-ng flexibility improvements

Patrick Hemmer syslogng at stormcloud9.net
Mon Jan 16 15:22:21 CET 2012


Sent: Mon Jan 16 2012 08:47:26 GMT-0500 (EST)
From: Balazs Scheidler <bazsi at balabit.hu>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Bazsi's blog: syslog-ng flexibility improvements
>
>
>   *syslog-ng flexibility improvements
>   <http://bazsi.blogs.balabit.com/2012/01/syslog-ng-flexibility-improvements/>*
>
>
> syslog-ng is often referred as a very flexible application when it 
> comes to processing logs. Over the years however, I began to feel that 
> some things are a bit more difficult to achieve in the configuration 
> language than it should be. For instance it is sometimes too rigid 
> when you need a combination of parsers (patterndb with db-parser) and 
> rewrite rules to achieve the goal you wanted. Parsers and rewrite 
> rules are distinct part of the configuration, it is not possible to 
> combine them into a single functionality. Also, declaring objects 
> first and then referencing them later, makes the configuration easy to 
> read, however sometimes it is quite cumbersome, when you only need to 
> invert the result of an already existing filter.
>
> To solve this situation, I've set out to implement an idea I had on 
> mind for some time now. It is quite difficult to describe the feature 
> in clear and concise words, as it is a combination of various changes 
> that together makes syslog-ng configuration more flexible and easier 
> to use, without sacrificing readability. Curious? Please read on.
>
> *In-line objects*
>
> Perhaps the simplest of all features is that you can now define the 
> contents of a given object right on the spot, without having to use a 
> separate statement. For example, earlier you had to write:
>
> log {
>    source(s_local);
>    filter(f_postfix);
>    destination(d_postfix);
> };
>
> Sometimes, f_postfix filter is only used once and is trivial. This can 
> now be written as:
>
> log {
>   source(s_local);
>   filter { program("^postfix/"); };
>   destination(d_postfix);
> };
>
> Furthermore both the source() and destination() options can be written 
> in-line, you simply use braces instead of parentheses. The same 
> functionality applies to everything: sources, destinations, filters, 
> parsers and rewrite rules.
>
> *Junctions*
>
> A limited form of junctions has been supported since syslog-ng 3.0 in 
> the form of "embedded log statements", which has been generalized now. 
> Within syslog-ng, when a message is received it is dispatched to a log 
> processing path or pipeline, which carries out the task at hand. A 
> junction is a point in the log processing path where the processing is 
> performed on multiple independent branches, each doing its own 
> specific thing with the message.
>
> The limited functionality in 3.0 only allowed the processing tree to 
> split (or fork) into independent branches, each of the branches was a 
> "sink", where processing also ended. Configuration example:
>
> log {
>    source(s_all); filter(f);
>    log { filter(f1); destination(d1); };
>    log { filter(f2); destination(d2); };
> };
>
> This sample forks the processing path into two branches starting with 
> the "log" keyword within the top-level log statement. The first branch 
> evaluates the filter f1 and the writes matching messages to the d1 
> destination, effectively sending all messages that match (f AND f1) to 
> d1. Likewise, d2 receives all messages that match (f AND f2).
>
> The limitation of the embedded log statement concept was simple: it 
> could only be listed at the very end of a log statement, and the 
> end-result of the branches couldn't be processed further. Effectively 
> the message at the end of each branch "fell off". Junctions on the 
> other hand makes it possible to do things to messages once the 
> branches converge to the same point again. Repeating the sample above, 
> it is now possible to write:
>
> log {
>    source(s_all); filter(f);
>    junction {
>      log { filter(f1); destination(d1); };
>      log { filter(f2); destination(d2); };
>    };
>    destination(d_all);
> };
>
> The new thing is that you can now add processing *after* the branches 
> finish their processing. A bit more useful example would be:
>
> log {
>    source(s_apache_files);
>    source(s_syslog);
>    junction {
>      log { filter(f_apache_files); rewrite(r_apache_remove_file_header); parser(p_apache); flags(final); };
>      log { filter(f_apache_syslog); parser(p_apache); flags(final); };
>    };
>    destination(d_files);
> };
>
> This example does an alternative processing of incoming logs based on 
> where the message came from.
>
> *Everything is a log expression*
>
> This feature is probably the most complicated, however provides very 
> nice properties and expressiveness to the configuration. From now on, 
> not just the well known log statement allows the specification of log 
> processing rules, but all the objects in the syslog-ng configuration 
> file can use the same expressive power.
>
> It is now possible to use embedded log statements, junctions and 
> in-line object definitions within source, destination, filter, rewrite 
> and parser definitions. Huh, you could ask: what does it bring to me 
> as a benefit? Well, until now, objects of different types were 
> separate entities, connected using log statements, with this change a 
> source can also specify a rewrite rule and that combination used as a 
> log source in a log statement.
>
> For instance, a usual source definition looked like this:
>
> source s_apache {
>    file("/var/log/apache/error.log");
> };
>
> If you wanted to process this log file in a specific way, you needed 
> to define the accompanying processing rules (parsers and rewrite 
> expressions) and combine them in a log statement. But how about this:
>
> source s_apache {
>    log {
>      source { file("/var/log/apache/error.log"); };
>      parser(p_apache_parser); };
>    };
> };
>
> log { source(s_apache); ... };
>

This just doesnt feel right. I'm not quire sure how else to put it :-)
I mean that I think of `log` statements as output handlers for a 
message. They control how the message leaves syslog-ng, whether it be to 
a file, database, pipe, whatever. To me it seems to make more sense if 
the `log` statement is called something else here (inside the `source` 
block), though what I dont know. Maybe at the least an alias, so that 
log and the alias are the exact same things, but that reading the config 
would make it look more logical. I dont know if I'm understanding the 
distinctions between `log` and `junctions` properly, but it seems as if 
`log`s are a serial execution of the statements within, and `junction`s 
are a parallel execution of the statements within, so maybe names to 
better reflect this?


> Can you see? The s_apache source used a file source and the reference 
> of a specific parser and all messages read from the apache error log 
> file would be processed by that parser. The log statement is just as 
> simple as if s_apache would be a "normal" source definition. This 
> feature allows pairing the essential log preprocessing functionality 
> very close to the source itself, making it very easy to write and read 
> the log statements. As an added bonus, it becomes very easy to 
> distribute application specific source & parser definitions as an SCL 
> configuration snippet.
>
> *Where?*
>
> This stuff is available in the syslog-ng 3.4 git tree 
> <http://github.com/bazsi/syslog-ng-3.4/>, on master. It passes the 
> included regression test, so it is at least dogfoodable. The nice 
> thing about the implementation is that it only slightly increased the 
> code size, but brought a lot of new features. If you have trouble 
> getting the code from git, let me know, I'm willing to create an alpha 
> release, so that it becomes easier to play with it.
>
> *Feedback*
>
> I see a lot of potential in this functionality, however my examples 
> may have not been the best ones. I would really appreciate any kind of 
> feedback, please be sure to send those to the syslog-ng mailing list 
> <http://lists.balabit.hu/mailman/listinfo/syslog-ng/> or post me as a 
> private email.

This does sound like its going to be some useful stuff, and will 
definitely be keeping an eye on it.

Thanks :-)

-Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120116/fa8afb3a/attachment.html 


More information about the syslog-ng mailing list