[syslog-ng] Question on custom log writer message output

Thu May 9 21:09:27 CEST 2013

If all you want to do is a message format then you could use the template()
option for the tcp destination, like this:

destination d_tcp { tcp("server" port(whatever)
template("040404040400010$MESSAGE"));

you can even embed hex characters in the template string using the \xFF
escapes. If you want to do a more involved thing, then you probably need a
LogProtoClient implementation, that you can now plug into the network()
destination as a transport. The network destination was introduced in 3.4,
but 3.5 has seen another largish refactoring change in this code.

Creating a LogProtoClient implementation should be straightforward, you
need to create a new "class" from LogProtoClient, override its post()
function. The post method should do everything to submit a message for
sending. If you need duplex communication (e.g. not just one-way tcp like
the "standard" tcp based syslog), you'll probably need to override
prepare() to return which I/O masks you are interested in.

Once you have a working LogProtoClient, you can create a plugin from it and
reference it from the transport() option of the network driver, e.g.

destination d_stuff {
    network("server" port(whatever) transport(mytransport)
template(whatever));
};

This will instantiate a new LogProtoClient plugin of yours and start
sending messages for you.

If the protocol you want to implement has a client library and perhaps only
has a blocking interface (like SQL clients usually are), you'll need to do
this differently (see for example the sql destination).

To create a plugin from a LogProtoClient needs some boilerplate, but I can
help with that.

On Thu, May 9, 2013 at 12:38 AM, Dylan Kulesza <dylan.kulesza at gmail.com>wrote:

> I'm working on a custom module to integrate with a third parties native
> log format.  My intent is to have messages come into syslog-ng and
> processed as usual and then sent out a custom destination driver.
>
> Right now I've hacked together different code to make it work (tcp socket
> connection per log source) and now I'm at the point of actually sending a
> custom message.  I've tried to stay as "true" to the syslog-ng as possible
> and have leveraged the log_forward_msg method to send my LogMessage.  I was
> hoping I could just prepend data to the LogMessage but realized after doing
> all the other leg work that it wasn't a simple string :)
>
> So, my question is - what would the easiest way to leverage the existing
> queue->log_forward_msg (doesn't require the socket to be open vs examples
> such as spoof_source in afsocket)  to write a custom message?  I see that
> LogTemplate may have what I need, but after submerging myself in syslog-ng
> for the past week I'm not seeing clearly...  Can anyone lend a hint/helping
> hand?
>
> What I'm trying to do:
>
> Open Socket
> Send Magic/StartPacket
>
> Prepend all log messages with a byte message - for example:
>
> 040404040400010MESSAGE  (Of course Message would be in bytes/hex).
>
> It seems I would create an NVENTRY for my prepend message and then
> override log_writer_format_log?  to do this?  Not 100% clear how I would
> accomplish this.  I also don't want to change any of the core/lib syslog-ng
> to accomplish this.  Should be implemented purely as a module.
>
>
> Thanks!
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130509/808c4fc1/attachment.htm 