On Thu, 18 Jun 2015, Tomas Heinrich wrote:
Date: Thu, 18 Jun 2015 20:54:22 +0200
From: Tomas Heinrich <[email protected]>
To: David Lang <[email protected]>
Cc: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] templates with overrides
On 06/18/15 19:32, David Lang wrote:
I think it would also up the complexity in some core areas a lot as well.
I don't have a realistic estimate, but I'm afraid it would.
I've worked around this problem with
$template manual,"$.custom\n"
and then used rainerscrpt to do things like
if foo then {
set $.custom = exec_template("a");
} else {
set $.custom = exec_template("b");
}
/var/log/bar;manual
Would this work in a pre-v8? (Not that it would be a blocker if it didn't.)
a quick search looks like it went in in 7.5.8/7.6.0/8.1.4
What the sample above does is close to what I've suggested, but it works
around the limitation that you can't set templates "directly".
I think the key thing is that we want to encapsulate the complexity to
as small an area as possible (both in the code and in what the user
needs to do to use it)
The construct above doesn't come naturally. You have to think about how to
bend the tools get the result.
Things get complicated if you use such a template in multiple outputs and you
want to modify them on different conditions. But that is a pretty artificial
scenario.
I agree it's a bit ugly, the question is if making the template be able to be
variable is uglier in the internal code/performance implications.
I've had some fairly ugly things that I've needed to do, where I've ended up
doing
ruleset(name=bar){
action(type=omprog....)
}
and then scattered around my config:
if foo then {
set $.custom...
call bar
}
so that the one instance of the program would get the right input, and that
input is generated in different ways from different sources (occasionally with
the same log message generating multiple outputs to the program)
An example of this is I use this to run an instance of sec that takes one
string/line as input, and complains when that string stops showing up for more
than 4 min (and then complains again every 4 hours if it doesn't come back). I
feed it the hostname of every log, and for some critical services, I feed it the
programname, so that even if the host keeps logging, I'll get alerted if the
service stops logging.
I've tried to solve the multi-template problem by using property-replacer
first, but it didn't work out. Maybe shifting more functionality into or out
of templates would help?.. (The regex function looks like an example of logic
not fitting the concept.)
yep
So instead of switching templates or hardcoding special variables, it could
all be handled inside the template..?
well, there is always the option of creating a custom sm (string generator
module) that you call just like a template, and it can have whatever logic you
want in it. There are a couple of examples in the codebase, but I haven't looked
at them to see if they reference $! variables or not. Adiscon can also write
them for you with a professional services contract (their prices have been
pretty reasonable in my experience)
The idea of the template generation code having some logic in it is what I was
thinking of when I started this thread.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
