Re: [logs] Syslog payload format

From: marc (marcat_private)
Date: Fri Jan 03 2003 - 12:06:10 PST

  • Next message: marc: "Re: [logs] Syslog payload format"

    You wrote:
    > So here's a suggestion - why not just make a syslog() client
    > that can get popped into a shared lib for starters. Have it log
    > new-style tagged date and time (AND YEAR!) ;) and have a tag
    > like the one Paul and I used for our "backwards compatible"
    > syslog messages - we used "SYSLOGMSG" to indicate "free form
    > stuff."  At least that way the important tags can get defaulted
    > and passed through, and we also know what applications are
    > producing old-style logs so they can eventually be eradicated.
    I am not sure that preload/re-link trickery is the best approach.
    I would suggest a syslogd shim which listens on /dev/log, collects
    old-style syslog messages and injects them into the new logger,
    reformatting as you suggested.
    That is how idsa does it - the main daemon (idsad) listens on /var/run/idsa
    and collects idsa messages, while three shims forward stuff to it.
      idsasyslogd   - listens on /dev/log
      idsarlogd     - collects from UDP/514
      idsaklogd     - collects from /proc/kmsg
    Actually both idsasyslogd and idsarlogd have a code to parse out things
    that look like key=value fields. The code then prepends the process name
    to the label and logs it in a format of my choice.
    For example, this is a real log entry generated by my postfix qmgr, which
    hasn't been modified/preloaded/recompiled in any way. Note the
    postfix_qmgr.from, a label which got generated:
    pid="4725" uid="0" gid="0" time="1040744173" service="postfix/qmgr" host="jade" name="" scheme="syslog" honour="0" arisk="0.142/0.856" crisk="0.000/0. 000" irisk="0.142/0.856" facility="mail" severity="info" message="002B35D14: from=<loganalysis-adminat_private>, size=4983 (queue active)" postfix_qmgr.from="loganalysis-adminat_private" postfix_qmgr.size="4983"
    This also removes the need to make the new API backward compatible.
    The old applications just use the syslog() in the C library
    as in the good old days, and the magic happens
    on the other side of /dev/log.
    Here are the permutations:
    New app/new logger:   excellent
    New app/old syslog:  #ifdef new log calls, or include code to map
                          new to old syslog()
    Old app/new logger:   have shim listening on /dev/log, translate
                          and forward it to new logger, aka idsasyslogd.
                          If you don't like the new logger, just fall
                          back syslogd, no need to relink.
    Old app/old syslog:   too bad
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:53:11 PST