One small syslog-ng trick: dpkg messages in syslog

Following Robi's idea I managed to collect dpkg messages and store them in syslog. I write the solution, hope someone is interested. The solution wes not so simple, because dpkg do not follow any syslog standard (niteher the legacy nor the new one). This is an example dpkg log (/var/log.dpkg.log):

2009-07-02 10:18:23 install libjinglexmllite0.3-0 0.3.12-3ubuntu1

It is obvious:

• Timestamp is broken
• Missing hostname
• Missing programe name and PID

Therefoe if I would simply read the file I would get the following result:

2009-07-02T10:18:23+02:00 test dpkg@root: 2009-07-02 10:18:23 install libjinglexmllite0.3-0 0.3.12-3ubuntu1

Therefore we need to reorganise the message a log by syslog-ng. The first step is collecting messages, which I made by a dedicated source object (because of the parser). I made by a pipe, but it is also possible by file according to your taste (do not forget the log rotation):

source s_dpkg {
pipe("/var/log/dpkg.log" program_override("dpkg@root:"));
pipe("/pat/to/my/chroot/var/log/dpkg.log" program_override("dpkg@mychroot:"));
};

We also need a csv-parser(), which cuts the message by spaces. Because the message do not holds the standard syslog-ng delivers the message in $MSG macro:

parser p_dpkg {
csv-parser(columns("DPKGMSG.HOUR", "DPKGMSG.MSG")
delimiters(" ")
flags(escape-none,greedy)
template("${MSG}"));
};

The greedy flag causes that DPKGMSG.MSG will contain the rest of the message, even if there is a space in it. The parser() makes the macros which I used in my template:

template t_dpkg {
template("$R_ISODATE $HOST $PROGRAM ${DPKGMSG.MSG}\n");
template-escape(no);
};

The $PROGRAM macro was filled in the source by the program_override() option, therefore in the message is displayed where dpkg was running. So I only need one template. With the template I store messages in the syslog:

destination d_dpkg {
file("/var/log/syslog" template(t_dpkg));
};

Finally I create my logpath:

log {
source(s_dpkg);
parser(p_dpkg);
destination(d_dpkg);
};

Let's see the result:

2009-07-02T10:18:23+02:00 test dpkg@root: install libjinglexmllite0.3-0 0.3.12-3ubuntu1

Nice, isn't it? I hope you liked the solution. Now I go to make my pack, because this afternoon I am going to the Linux Academy. Bye.

Trainings this autumn

We have appointed training in the second half of the year. What a busy year we'll have (luckily). We have changed a few "little" things:

• From september we keep trainings about freshly releaesed SCB 2.0, which was extended to two day.
• We also extended the syslog-ng PE training for two days. Of course about the 3.0 version.
• SSB 1.0 is still one day but we strongly advised syslog-ng training before, for the better understanding.
• Zorp 3.3 is still a 2-3-2 day training (associate 2 days and expert training 3+2 days),
• Network secuity training (SR) is also strongly advised before the Zorp training.
• We have dedicated and appointed training in Munich (4 days for a syslog-ng+SSB+SCB)

You can find all the dates on our website. In addition we keep a few-hour webinars, you can apply here.