Provide a unique sequential message ID #4363
Replies: 8 comments 4 replies
-
the suppression message does not traverse the same path as the messages where you apply the rewrite rule, rather they are generated right within the destination itself, but this means that your rewrite rule does not apply. Also, it is considered a local message and as such syslog-ng generates its own sequenceId. That's why it is different. sequenceId is defined by the RFC as an originator defined sequence https://www.rfc-editor.org/rfc/rfc5424#page-24 So a relay overriding this value may not be completely RFC conformant, which is probably not much relevant to you, but I wanted to point out and explain the current syslog-ng behaviour, that is:
The behaviour you experience stems from the fact that the formatting of the suppression message is hard-coded into the destination logic in syslog-ng, so it does not traverse your rewrite rule. The good news is that all messages have an RCPTID, even the suppression one, so the trick is to inject that value to the message somehow. |
Beta Was this translation helpful? Give feedback.
-
Yes, a template would be possible. I was looking at how I could make the suppression message customizable, but all the alternatives were pretty complicated. But suppress() could be extracted from the destination and provided as a parser () component. With that you could customize its contents. Would that be interesting to you? This is probably even doable today with grouping-by () which would probably use a lot more memory than suppress() but could still deliver the functionality. If that works for you, I'd be willing to implement something that would not be as flexible as grouping-by but would use a lot less resources. Here's a sample that would be similar to suppress, but with grouping-by: I am on a phone so I can't try what I type here. I'll come back from my desktop as I get there. |
Beta Was this translation helpful? Give feedback.
-
This does the job, however I can see some deficiencies with this:
|
Beta Was this translation helpful? Give feedback.
-
I tried to improve this a bit, by using $HOST as key (not as high in cardinality)
The issue here is that trigger() is evaluated by the time the new message is already consumed into a context, so at the time we generate the aggregate we would be aggregating the duplicates and the first non-matching message. We also have where() option but that does not see the context. |
Beta Was this translation helpful? Give feedback.
-
I was testing with this input:
The output of the 1st:
The output of the 2nd (incorrect):
|
Beta Was this translation helpful? Give feedback.
-
Thanks, we encountered another issue.
The RCPTID is 64 bit according to the code, 48 bit according to the documentation. Do you know if when setting In relation to your comment in #3036 (comment), are there going to be any changes? |
Beta Was this translation helpful? Give feedback.
-
you could get to the same results using template functions to $(% $RCPTID
2147483648) would give you a 32 bit counter.
to also get the non-zero capability, use 1 smaller number to modulo with
and add one using something like $(+ $(% $RCPTID 2147483647))
…On Tue, May 9, 2023 at 11:49 AM Alexandre Santos ***@***.***> wrote:
Can the RCPTID be changed to 32bit ?
Can we have an internal log with a notification that the id has rotated?
Thanks, Alex
—
Reply to this email directly, view it on GitHub
<#4363 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5R4D4X2QW7V3LHXLBTXFIHK5ANCNFSM6AAAAAAVVK3DTM>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
Bazsi
|
Beta Was this translation helpful? Give feedback.
-
FYI, I've just opened a PR which allows you to change the $SEQNUM behaviour using this configuration sample:
Note the "seqnum-all" flag, this will cause the syslog driver to always send meta.sequenceId as an incrementing number, not just for local messages. I felt the original RFC5424 prescribed behaviour did not make much sense, so you can basically disable it with this flag. I think this is pretty close to what you'd like to accomplish. |
Beta Was this translation helpful? Give feedback.
-
I am trying to provide a unique sequential message ID for each log message.
I am using
use-rcptid(yes);
in the global options and thenrewrite r_sequence_id { set("${RCPTID}" value(".SDATA.meta.sequenceId")); };
in each destination.This works fine, even in restarts and reloads, the sequence is not interrupted, but the indication of suppressed messages comes with a different sequence:
Is there any way that this could be avoided?
Beta Was this translation helpful? Give feedback.
All reactions