On Wed, Aug 26, 2020 at 1:08 PM Willy Tarreau <w...@1wt.eu> wrote: > > Also what would be extra useful, especially for debugging and perhaps > > security, is to add an `http-request|http-response log <level> > > <log-format> if <condition>` that would allow adding additional log > > lines if a certain condition is met. > > We cannot realistically "add more lines" to a request, however deciding > to emit one line at the instant the rule is processed shouldn't be hard > at all, and I definitely see the value there, as you say, both for > debugging and for security alerts.
Yes, you are right, I don't expect such a statement to add a new line to the buffer, but to immediately format a log line and submit it. (This also aids in debugging, because if the same log line is put in multiple places of the `http-request` chain, one could see how a certain header has changed, and it could also help in generating a log line the moment the request was parsed, as opposed to waiting for the response to be processed.) > There's something I've been wanting for a while which would be log profiles > (pre-defined and reusable log-format directives) that would significantly > help with such situations as you probably don't want to duplicate the > exact same format all the time. As such I'd rather first define how we > want to reference them, then make sure that the suggestion above can be > done in a forward compatible way. Although `log-format` profiles might be useful, I would still keep the option to just "paste" the same format everywhere it is needed. (As a minor side-note: the HAProxy configuration syntax is far from trivial, and I see it more as an "assembler" than as a "high level language"; therefore I've built myself a Python generator, https://github.com/cipriancraciun/haproxy-configurator/tree/master/examples, that just generates the matching HAProxy configuration file. Moreover I guess this is the way many other HAProxy integrators do it, especially in the micro-services world.) > These are good ideas that will fuel a long feature request :-) Then, still related to logging, might I add a feature request to just use "raw" lines over UDP or TCP, instead of SysLog? (Just as we have now support for `stdout`, but with network support.) I know there is the issue of reliability, but that is not an issue, given as now SysLog is also over UDP. Thanks, Ciprian.