Skip to main content

Thinking about rewrite rules

Again the question on Solaris message IDs was raised in an email sent to me in private. For those who don't know how a Solaris msgid looks like, look at this example:

May 14 18:51:57 inbound2 su: [ID 366847 auth.notice] 'su root' succeeded

I was asked to include an MSGNOID macro which excludes this msgid in the final destination. The problem I have with this approach is that it simply does not scale: there are simply too many combinations to cover with various macros, an example using the msgid case:
  • a macro that includes neither the name of the program, nor the msgid
  • a macro that includes program name only
  • a macro that includes msgid but not the program name
  • a macro that includes both the program name and the msgid
As you can imagine this quickly becomes a maintenance nightmare even if one finds out a proper name for all of these combinations, especially if you add that other devices have their own extensions to syslog.

What I am pondering is to renew my old ideas about adding sed-like rewrite rules to syslog-ng, something along the lines of:

rewrite r_msgid { msg("s/\[ID [0-9]+ [a-z]+\.[a-z]+\]//");

log { source(s_local); filter(f_noid); rewrite(r_msgid); destination(d_messages); };

Of course similar functionality would be added to manipulate all syslog message parts, like hostname. The results would become part of the message itself, thus macros would use the rewritten message. And by the way backreferences could be used to refer various parts of the message, matched by regexps.

What do you think?

Comments

Anonymous said…
sed-like rewrite rules is a feature I would very much like to see in future releases of syslog-ng. it would be an invaluable addition to the product. please consider it!
11:08 PM
Anonymous said…
I've found myself wishing I had the rewrite capabilities at times, but my own testing showed that regular expressions slow down syslog-ng too much when under heavy load:

http://www.campin.net/syslog-ng/faq.html#perf

I think that people will find this incredibly useful and it'll drive further adoption of syslog-ng, but at the same time it'll be the constant source of performance complaints on the mailing list

Just my $0.02.

Nate
7:37 PM
Anonymous said…
This comment has been removed by a blog administrator.
1:27 PM
Post a Comment

Popular posts from this blog

syslog-ng fun with performance

I like christmas for a number of reasons: in addition to the traditional "meet and have fun with your family", eat lots of delicious food and so on, I like it because this is the season of the year when I have some time to do whatever I feel like. This year I felt like doing some syslog-ng performance analysis. After reading Ulrich Deppert's series about stuff "What every programmer should know about memory" on LWN, I thought I'm more than prepared to improve syslog-ng performance. Before going any further, I'd recommend this reading to any programmer, it's a bit long but every second reading it is worth it. As you need to measure performance in order to improve it, I wrote a tool called "loggen". This program generates messages messages at a user-specifyable rate. Apart from the git repository you can get this tool from the latest syslog-ng snapshots. Loggen supports TCP, UDP and UNIX domain sockets, so really almost everything can be me
17 comments
Read more

syslog-ng roadmap 2.1 & 2.2

We had a meeting on the syslog-ng roadmap today where we decided some important things, and I thought I'd use this channel to tell you about it. The Open Source Edition will see a 2.1 release incorporating all core changes currently in the Premium Edition and additionally the SQL destination driver. We are going to start development on the 2.2 PE features, but some of those will also be incorporated in the open source version: support for the latest work of IETF syslog protocols unique sequence numbering for messages support for parsing message contents Previously syslog-ng followed the odd/even version numbering to denote development/stable releases. I'm going to abandon this numbering now: the next syslog-ng OSE release is going to have a 2.1 version number and will basically come out with tested code changes only. The current feature set in PE were developed in a closed manner and I don't want to repeat this mistake. The features that were decided to be part of the Open
12 comments
Read more

syslog-ng 3.0 and SNMP traps

Last time I've written about how syslog-ng is able to change message contents. I thought it'd be useful to give you a more practical example, instead of a generic description. It is quite common to convert SNMP traps to syslog messages. The easiest implementation is to run snmptrapd and have it create a log message based on the trap. There's a small issue though: snmptrapd uses the UNIX syslog() API, and as such it is not able to propagate the originating host of the SNMP trap to the hostname portion of the syslog message. This means that all traps are logged as messages coming from the host running snmptrapd, and the hostname information is part of the message payload. Of course it'd be much easier to process syslog messages, if this were not the case. A solution would be to patch snmptrapd to send complete syslog frames, but that would require changing snmptrapd source. The alternative is to use the new parse and rewrite features of syslog-ng 3.0. First, you need to f
2 comments
Read more