hi all, I have slightly modified the ruleset for writing messages to /dev/log on Linux, and thought about sharing it through the rule repository. The current version contains some error checks and it seems to work. Note, however, that for stream sockets the solution would be somewhat different (it would probably require non-blocking writes on the socket). I would appreciate any comments and/or corrections to the rules :) kind regards, risto
type=Single ptype=SubStr pattern=SEC_STARTUP context=SEC_INTERNAL_EVENT continue=TakeNext desc=Load the Socket module and store facility and level values to hashes action=assign %a 0; eval %a (require Socket); eval %a (exit(1) unless %a); \ eval %a ( %facility = ( 'kern' => 0, 'user' => 1, 'mail' => 2, \ 'daemon' => 3, 'auth' => 4, 'syslog' => 5, \ 'lpr' => 6, 'news' => 7, 'uucp' => 8, \ 'cron' => 9, 'authpriv' => 10, 'ftp' => 11, \ 'ntp' => 12, 'local0' => 16, 'local1' => 17, \ 'local2' => 18, 'local3' => 19, \ 'local4' => 20, 'local5' => 21, \ 'local6' => 22, 'local7' => 23 ); \ %level = ('emerg' => 0, 'alert' => 1, 'crit' => 2, \ 'error' => 3, 'warning' => 4, 'notice' => 5, \ 'info' => 6, 'debug' => 7); \ $syslogsocket = 0; ) type=Single ptype=RegExp pattern=(SEC_STARTUP|SEC_RESTART) context=SEC_INTERNAL_EVENT desc=(Re)Open connection to syslogd and compile the logging routine action=eval %a ( if ($syslogsocket) { close(SYSLOG); $syslogsocket = 0; } \ if (socket(SYSLOG, Socket::PF_UNIX, Socket::SOCK_DGRAM, 0) \ && connect(SYSLOG, Socket::sockaddr_un('/dev/log'))) \ { $syslogsocket = 1; } ); \ eval %syslog ( sub { if (!$syslogsocket) { return undef; } \ if (scalar(@_) < 4) { return undef; } \ if (!exists($facility{$_[0]})) { return undef; } \ if (!exists($level{$_[1]})) { return undef; } \ my($pri) = $facility{$_[0]}*8 + $level{$_[1]}; \ my($tag) = $_[2]; my($msg) = $_[3]; \ my($n); my($time) = scalar(localtime(time())); \ substr($time, 0, 4) = ""; \ substr($time, -5) = ""; \ $n = send(SYSLOG, "<$pri>$time $tag: $msg", 0); \ return $n; } ) type=Single ptype=SubStr pattern=SEC_SOFTRESTART context=SEC_INTERNAL_EVENT desc=(Re)Open connection to syslogd action=eval %a ( if ($syslogsocket) { close(SYSLOG); $syslogsocket = 0; } \ if (socket(SYSLOG, Socket::PF_UNIX, Socket::SOCK_DGRAM, 0) \ && connect(SYSLOG, Socket::sockaddr_un('/dev/log'))) \ { $syslogsocket = 1; } ); type=Single ptype=RegExp pattern=test: (\S+): (.+) desc=log message '$2' for program $1 with priority daemon.info action=call %o %syslog daemon info $1 $2 ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users