[syslog-ng] RFC: syslog-parser

Balazs Scheidler bazsi at balabit.hu
Wed Oct 24 21:05:50 CEST 2012


Hi,

I've figured it is not nice from me that I keep pushing stuff to
"master" without getting proper review from the list. So here's a
attempt to change that.

I've just pushed an experimental patch to the "syslog-parser" branch on
github that allows the syslog parsing functionality to be used as a
syslog-ng parser:

https://github.com/balabit/syslog-ng-3.4/tree/syslog-parser

Here's a short description on why this is useful (quoting the commit
message):

This patch creates a new parser, to explicitly parse messages as syslog
messages. This can be used to selectively parse these messages based on
some filters.

Imagine this use-case:

log {
        source {
                udp(port(2000) flags(no-parse));
        };
        parser {
                log {
                        junction {
                                log {
                                        filter { netmask("127.0.0.1/32"); };
                                        parser { syslog-parser(); };
                                        flags(final);
                                };
                                log {
                                        filter { netmask("127.0.0.2/32"); };
                                        parser { csv-parser(columns("C1", "C2", "C3")); };
                                        flags(final);
                                };
                        };
                };

        };
        destination {
                file("/home/bazsi/logs/qqq" template("$(format-json --key *)\n"));
        };
};

Messages from 127.0.0.1 will get parsed as syslog messages, while 127.0.0.2
as a csv-parser() style messages.

I'd welcome any kind of feedback, code or functionality wise. I still
have some stuff to fix in this, but after initial feedback I'm going to
merge it to master.

Thanks in advance.

-- 
Bazsi




More information about the syslog-ng mailing list