[syslog-ng] journald prefix
Laszlo Szemere (lszemere)
Laszlo.Szemere at oneidentity.com
Wed Aug 5 08:41:14 UTC 2020
Hello,
when I read your email I immediately thought about some confgen block, where systemd handled as an exception, and syslog-ng can "do the rest" with a system block in the else branch. (I checked it, confgen block runs first, so a generated "system()" block will be expanded later by syslog-ng.)
But I thought this must be the "insane idea" you referred to earlier 🙂 So I waited a little, maybe someone on the mailing list has a better option.
In the meantime, I also checked the code of the system() source, maybe we can add an additional parameter. Unfortunately there was a design choice earlier, where we handle all unknown parameters as "app-parser" parameters, so the "pass everything" part will not work in this case. At this point, I could hardly imagine any solution without breaking legacy behavior, but I am open to any suggestion.
Best regards,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Fabien Wernli <wernli at in2p3.fr>
Sent: Wednesday, July 29, 2020 14:38
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] journald prefix
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
I'm in the process of simplifying my structured logging config.
Most of my systems now have journald shipping local logs to syslog-ng via
the `system()` auto-expanding source.
While this is convenient, as it makes it possible to use the same config for
all my systems (systemd and rest of world), it also makes it impossible to
configure the underlying driver's defaults.
The task at hand is shipping the journald additional fields, which would be
easy to do using the following excerpt from the documentation:
source s_journald {
systemd-journal(prefix(".SDATA.journald."));
};
This is not possible of course using `system()`.
I've got a couple of ideas on how to handle this, but I'd like to hear
other (probably less insane than my own) ways first :-)
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200805/eef7f428/attachment-0001.html>
More information about the syslog-ng
mailing list