It was thus said that the Great Rainer Gerhards once stated:
> > But my overall assumption is that we stick what we currently have, but
> > extend
> > it in a way that provides scoping and do so in a way the provides as
> > many
> > usable interim steps as possible (without adding major work just for
> > those
> > steps). I hope this covers the spirit of our discussion.
>
> I tried very hard the past days to get a grammar together that is an
> evolution from what we currently have. I did not yet succeed fully (thus I
> have no formal grammar to show), but I think I made some progress.
>
> So please let me come back and present a config sample:
>
> http://download.rsyslog.com/rainerscript2_rsyslog.conf
>
> It actually is three configs in one file
>
> a) a standard rsyslog.conf in mixed new and old format
> b) a standard rsyslog.conf in new format, only
> c) a complex rsyslog.conf (not really working) in new format
>
> [partitioned by (just) comments]
>
> Note that being an evolution, any currently existing rsyslog.conf would also
> be a valid new conf (via the *same* parser). I have not thought out the full
> semantics and thousand other things that need to be thought of -- this
> actually opened up a can of worms ;) However, I find the proposed format
> seems to be a good compromise between the need to preserve and the need to
> move on, and between the need for simplicity and the need for power.
>
> As such, before I invest even more time into that format, I'd like to get
> some feedback on what you folks think ;)
Okay, take number two.
After reading the various comments about my last message (using
Lua---rejected for various reasons) what it sounds like you want is a more
declaritive syntax---a mapping of input to output. Have you considered a
syntax like Haskel or Erlang? There functions are declared by pattern
matching input parameters and thus, you tend not to see many (if any) if
statements (okay, I checked a sizable Erlang program I have, and it does use
'case' in a few spots, but not many).
The original syslog.conf file has what I mean to some degree, with a
syntax like:
mail.* @maillogprocessinghost
mail.warn /some/log/file
cron.* /some/other/logfile
Since most of what you want to do is based off the input message, how
about extending this style of syntax to more than just the facility/priority
pair? Since host, program, facility, priority and message are typically the
most interesting fields (at least, in my experience), perhaps a syntax that
includes matching those as well would work. Something like:
# order is host, program, facility, priority, msg
( * , * , mail , (warn err crit alert emerg) , *) => file("/var/log/mail.log")
# the above is the same as the traditional syslog syntax of
# mail.warn /var/log/mail.log
# log cron messages to logs based off the hostname
( * , * , cron , * , * ) => file("/var/log/{host}/cron.log")
# define a list of values
routers = { ip1 ip2 ip3 ip4 }
# use said list in a pattern matching rule
# the msg field uses a regex
( {routers} , * , local2 , * , /(OSPF%-5%-ADJCHG.*Neighbor Down)/ ) => email(
... )
( {routers} , * , local2 , * , /(OSPF%-5%-ADJCHG.*LOADING to FULL)/ ) => email(
... )
# feed SSH failed logins to external program, to block repeated attemts
# ~"blah" will check for the existance of "blah" somewhere in the string
# log all SSH information to a file
( localhost , sshd , auth2 , info , ~"Fail password for" ) => exec( ... )
( * , sshd , auth2 , * , * ) => file( ... )
# auth messages go offsite, never locally, everything else
# gets logged locally, except for *.debug, which gets relayed
# to development machines for processing
( * , * , auth , * , * ) => relay(secure)
( * , * , !auth , !debug , * ) => file(...)
( * , * , !auth , debug , * ) => relay(dev)
Seldom used fields can be explicitely checked
( * , * , * , * , * , relay = A) => ...
No if statements in sight, just a series of patterns and actions when said
pattern is matched. You also have "variables" and a way to reference them,
and I left the syntax for actions vague intentionally.
-spc (Just an idea ... )
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
