Acting on an old comment from a friend, I decided to look into what it'd take to get rsyslog to perform running hashes of logs. Conceptually, it's pretty simple - every Nth message inject one message containing the hash of the previous N messages (including the previous hash message). It also gave me an excuse to start digging into the rsyslog code.
At first I thought I could do it with a property replacer, but that seems a wash since those are wholly message-based and don't [seem to] give the opportunity to store information (even a running hash) of prior messages. A plugin was my next hope, but there doesn't seem to be a good mechanism to pipeline those together - AFAICT they're expected to be single ingress/egress points, with no interstitial stages. I see the code for loading other objects as Rainer mentioned in April, but that seems more for central functionality than for chaining modules together. This all brings me back to one of my original questions for rsyslog - is module chaining something that is even on your radar? I'm thinking normalization, hashing, encryption, etc. Almost feels like there should be another layer here, maybe a "mangle" plugin interface that could stack in after im* and before om*? RB _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
