Issue #9687 has been updated by James Turnbull. Status changed from Unreviewed to Needs More Information Assignee set to Wil Cooley
Not a criticism Wil but does anyone other than Splunk use CIM? Wouldn't it be easier to build an upstream parser than change log output for everyone? ---------------------------------------- Feature #9687: Improve structure of messages logged to syslog https://projects.puppetlabs.com/issues/9687 Author: Wil Cooley Status: Needs More Information Priority: Normal Assignee: Wil Cooley Category: logging Target version: Affected Puppet version: Keywords: Branch: It would be nice if the messages logged to syslog were more clearly structured for processing by log-analysis tools like Splunk. The current messages are kinda parsable, but following CIM, Common Information Model, would be more readily machine-readable. Splunk automatically extracts key=value fields when it finds them in events, so structuring messages like this gets you a lot for free. I think this format would also be more amenable to searching & processing with basic Unix tools like grep and awk. Here is a little, accessible doc about CIM from Splunk (at least Splunk Inc's notion of CIM); a lot of the information I've seen is 1000-ft DMTF gobbledygook: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationModel And that's even more spec than I care about--the most important part is that the messages are structured as a series of key=value pairs (and that there is internal consistency with the keys). Here are some examples of how one might restructure a few log messages: Current: (//syslog::rsyslog/Service[rsyslog]) Triggering 'refresh' from 2 dependencies CIM: action=refresh resource_type=service resource_name=rsyslog class=syslog::rsyslog triggered_by=2 Current: (/File[/etc/rsyslog.d/30_forward.conf]) Filebucketed /etc/rsyslog.d/30_forward.conf to puppet with sum xxxxxx CIM: action=filebucket resource_type=file resource_name=/etc/rsyslog.d/30_forward.conf buckethost=puppet md5sum=xxxxxx Current: (//denyhosts/File[/var/lib/denyhosts/allowed-hosts]/mode) mode changed '400' to '444' CIM: action=mode_change resource_type=file resource_name=/var/lib/denyhosts/allowed-hosts mode_from=400 mode_to=444 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
