[syslog-ng] Bazsi's blog: syslog-ng flexibility improvements

[Balazs Scheidler]

On Mon, 2012-01-16 at 09:04 -0800, Evan Rempel wrote:
> >> source s_apache {
> >>   log {
> >>     source { file("/var/log/apache/error.log"); };
> >>     parser(p_apache_parser); };
> >>   };
> >> };
> >>
> >> log { source(s_apache); ... };
> >>
> > 
> > This just doesnt feel right. I'm not quire sure how else to put
> it :-)
> > I mean that I think of `log` statements as output handlers for a 
> > message. They control how the message leaves syslog-ng, whether it
> be to 
> > a file, database, pipe, whatever. To me it seems to make more sense
> if 
> > the `log` statement is called something else here (inside the
> `source` 
> > block), though what I dont know. Maybe at the least an alias, so
> that 
> > log and the alias are the exact same things, but that reading the
> config 
> > would make it look more logical. I dont know if I'm understanding
> the 
> > distinctions between `log` and `junctions` properly, but it seems as
> if 
> > `log`s are a serial execution of the statements within, and
> `junction`s 
> > are a parallel execution of the statements within, so maybe names
> to 
> > better reflect this?
> 
> I agree that this does not "feel" right. If the log statement had a
> destination
> that could be used as a source, then the second log statement could
> source
> the destination of the first log statement. That would make all log
> statements
> have a "source" and a "destination".

There are some limitations, destinations cannot be used as sources,
although sources can refer destinations in their own log statement.

E.g. this should work:

source s_apache {
	log {
		source { file("/var/log/apache/error.log"); };
		destination { file("/tmp/apache-error.log"); };
	};
};

And s_apache could be used as a source in another log statement.

I was thinking about limiting these cases, but I've only limited those
were I couldn't find out a good interpretation of the configuration
file.

-- 
Bazsi