You wrote: > So here's a suggestion - why not just make a syslog() client > that can get popped into a shared lib for starters. Have it log > new-style tagged date and time (AND YEAR!) ;) and have a tag > like the one Paul and I used for our "backwards compatible" > syslog messages - we used "SYSLOGMSG" to indicate "free form > stuff." At least that way the important tags can get defaulted > and passed through, and we also know what applications are > producing old-style logs so they can eventually be eradicated. I am not sure that preload/re-link trickery is the best approach. I would suggest a syslogd shim which listens on /dev/log, collects old-style syslog messages and injects them into the new logger, reformatting as you suggested. That is how idsa does it - the main daemon (idsad) listens on /var/run/idsa and collects idsa messages, while three shims forward stuff to it. idsasyslogd - listens on /dev/log idsarlogd - collects from UDP/514 idsaklogd - collects from /proc/kmsg Actually both idsasyslogd and idsarlogd have a code to parse out things that look like key=value fields. The code then prepends the process name to the label and logs it in a format of my choice. For example, this is a real log entry generated by my postfix qmgr, which hasn't been modified/preloaded/recompiled in any way. Note the postfix_qmgr.from, a label which got generated: pid="4725" uid="0" gid="0" time="1040744173" service="postfix/qmgr" host="jade" name="mail.info" scheme="syslog" honour="0" arisk="0.142/0.856" crisk="0.000/0. 000" irisk="0.142/0.856" facility="mail" severity="info" message="002B35D14: from=<loganalysis-adminat_private>, size=4983 (queue active)" postfix_qmgr.from="loganalysis-adminat_private" postfix_qmgr.size="4983" This also removes the need to make the new API backward compatible. The old applications just use the syslog() in the C library as in the good old days, and the magic happens on the other side of /dev/log. Here are the permutations: New app/new logger: excellent New app/old syslog: #ifdef new log calls, or include code to map new to old syslog() Old app/new logger: have shim listening on /dev/log, translate and forward it to new logger, aka idsasyslogd. If you don't like the new logger, just fall back syslogd, no need to relink. Old app/old syslog: too bad regards marc _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:53:11 PST