Dear Carlos, With your already wonderful script I can log the file as received however as I am aware of the RFC which defines syslog rules and conventions found at http://www.faqs.org/rfcs/rfc3164.html I need to substitute the value in <?> for the following before the log is created. This is where we get the definitions of Where the number enclosed by < > is equal to 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level message Within standard syslog information as I quoted [2007-04-21 17:31:55] *<6>*EFW: ALG: prio=1 algmod=http algsesid=70500 action=close reason=backlisted_url.......... In the above this represents an Informational event. It it were to be a 4 this would substitute the work 'warning' As ALL syslog messages conform to at least these 2 mandatory fields can I incorporate your code and see any value enclosed in *< >* and have it substitute for the correct Event Title. Normal expectations of messages are about. 38,000 mph - again dependant on staff numbers. I am in the process of building a dedicated Linux PC to perform just this function. under normal usage you would expect up to 38,000 messages per hour during heavy traffic. Hence I have a management model to do all the statistical work and trends. (Linux) After I succeed I will be happy to provide the result. There is an enormous requirement for a Linux Syslog. If you wish you may wish to publish on web. Kind Regards Scott :-) Carlos E. R. wrote:
The Sunday 2007-04-22 at 07:47 +1000, Registration Account wrote:
Those few lines of code are just what I need. Yes off course I can use KsystemLog - its all set up to chase the file as it grows by the millisecond and has a wide application use. An Xterm will not offer as much I feel.
Oh, yes, xterm is much faster than any other gui app. Try, leave an xterm with "tailf logfile".
With respect to the substitution of the Priority codes below in place of the value contained the string below as <?> is that also as easy to achieve.
I'm not sure what you want there... syslog has standard priority values, but the priority is not printed, its just used to filter them out to different destination files if wanted.
For instance:
filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_myemail { level(notice) and facility(mail) and not (program("amavis") and match("Passed CLEAN,")); }; # info o notice
...
destination maildebug { file("/var/log/mail.debug" ); }; log { source(src); filter(f_mail); destination(maildebug); };
log { source(src); filter(f_myemail); destination(mail); }; log { source(src); filter(f_mail); destination(mail); };
The "/var/log/mail.debug" file will contain all the mail messages of any level, but the "/var/log/mail" will only contain those of lever "notice" and higher importance, except those comming from the program "amavis" with certain string.
But I don't know how to insert an arbitrary string indicating the level; for that I think you will need to hack the syslog-ng code.
Please let me know where to send chocolate!
Ugh, I have half a kilo downstairs I shouldn't even look at... leave it as virtual ;-)