[syslog-ng] merging stuff from merge-queue/3.4

Balazs Scheidler bazsi77 at gmail.com
Sat Nov 17 14:33:32 CET 2012 

----- Original message -----
> On Sat, Nov 17, 2012 at 9:00 AM, Balazs Scheidler <bazsi at balabit.hu>
> wrote:
> > system-source: Use follow-freq(1) on FreeBSD prior to 9.1
> > 
> > Are you sure time based polling would work here? I mean time based
> > polling also checks if the size of the file has changed, as it was
> > meant to be used only with regular files.
> 
> Yes, I am sure it works, due to this earlier patch:
> 
> commit 169bc655620bf641eb0429258533037ff9ae52bd
> Author: Gergely Nagy <algernon at balabit.hu>
> Date:     Fri Oct 5 12:16:57 2012 +0200
> 
>         logreader: When following a file, treat non-regular files specially
> 
> > I'm afraid that the inability to use kqueue on /dev/klog would
> > prevent using kqueue completely, as the syslog-ng file source code
> > requires either regular files or pollable devices.
> 
> With the above patch, there is a workaround that will do until we have
> a proper device() source. 

you mean, that with that workaround, logreader will unconditionally read from the fd every follow-freq() seconds, assuming there's something to be read?

I don't see how the device() driver would solve this though.

In the long run, I want a better solution
> than this workaround, but until then, this is in my opinion, an
> acceptable workaround. As the other option which does not require
> extensive changes is to disable kqueue completely (and fall back to
> poll) - which is what has been the case 'till 3.3.6, and it's just as
> bad as this workaround, to be honest. I'd rather not to that, since in
> the long run, we want device() anyway.

agaimn, I don't see how you'd solve this case properly. w/o kqueue support on /dev/log, we'll have to resort to timer based polling.

> 
> > dbparser: support inheriting properties in a corellation action
> > 
> > I merged this one, although I have some doubts. It uses
> > log_msg_clone_cow(), which does have some tricky semantics, as it
> > assumes that the cloned message will not change, once cloned.
> > 
> > I was thinking about removing clone_cow() completely because of this
> > tricky stuff, and whenever we need a clone we're about to change the
> > LogMessage anyway, and delaying the actual change means that we have
> > to do two malloc() calls, instead of one.
> > 
> > Can you test whether changing the message that triggered the action
> > with a rewrite rule, keeps the cloned one intact? This would need a
> > parallel path to the db-parser().
> 
> Mhm, I'll do that and report back (most likely this won't happen 'till
> next thursday, though).

I've travelled into the countryside for the weekend, so probably I won't be checking into this either.

> 
> > dbparser: Make the context length available to action conditions
> > 
> > I didn't pick this one. I was thinking about using a template
> > function to return the number of entries in the current context.
> 
> Indeed, using a template function crossed my mind too, but to do that,
> I would have to do a dance I deemed too expensive, both by the amount
> of code that would need to be written and the number of hoops the
> template function would have to jump through: it would need to be
> called first, then look up the context, then append the string to the
> result.. That seemed overly complicated to me, compared to the few
> lines the patch adds.

You don't have to look up anything, the context is passed to template functions through the invoke args stuff. There are already template functions that use the context, see for instance $(grep)

> 
> > This patch changes the log message while it could keep it read-only,
> > and even if I wanted to do this macro-like, I'd have created a real
> > macro. Both template formatting and template functions receive the
> > context as arguments anyway, so the required information is readily
> > available.
> 
> On the other hand, yeah... keeping the message read-only would be a
> nice bonus. I'll rework this patch.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121117/0a4d6c06/attachment.htm

More information about the syslog-ng mailing list