loggingsysloglogfilesyslog-nglogfile-analysis

Fix severity and facility in log message


I'm new to syslog-ng. I have included my logFile.log in the syslog configuration file and the server successfully received the log message. Now I would like to correct the log message syntax by adding severity and priority. For example, using this syntax in a text log file

tag: message The Syslog server receives a message formatted in tag and message, I would like set facility and severity in a text. Time, IP and host are just ok. Followuing configuration is a secction of my syslog configuration file.

source s_myLOG {
    file(/home/logFile.log);
};

log {
    source(s_myLOG);
    destination(d_net);
};

How can I do it? Thanks


Solution

  • I assume you mean that the format of every line in /home/logFile.log is like:

    tag: message
    

    where tag is decimal number encoding the syslog facility and severity values. If you are in control of the application that writes logFile.log, the only thing you need is change the format slightly:

    <tag>message
    

    With this format syslog-ng automatically parses and extracts the facility/severity information.

    If you are unable to change the application and "tag: message" is a fixed format, then that's a bit more involved. If tag is simply a string that contains a facility value, it's pretty simple, assuming you have a recent syslog-ng version:

    rewrite tag_to_facility {
      set-facility("$(list-head $(explode : $MSG))")
    };
    

    Similarly there's a set-severity() rewrite operation that you could use.

    If tag value is numeric and happens to match how the syslog protocol encodes facility/severity information, you could do something like:

    rewrite tag_to_facility_severity {
      # $(% ) means modulo division, e.g. mask off the last 3 bits of its argument
      # $(list-head takes off the first element of a list
      # $(explode) splits an argument by a separator and returns a list
      set-severity("$(% $(list-head $(explode : $MSG)) 8)")
      set-facility("$(/ $(- $(list-head $(explode : $MSG)) $SEVERITY_NUM) 8)")
    };
    

    As you can see, syslog-ng has a quite powerful expression language, capable of doing arithmetics. It could somewhat be improved to make it easier to mask off bits of an integer, but I've noted that as a feature request. :)