Acting on an old comment from a friend, I decided to look into what
it'd take to get rsyslog to perform running hashes of logs.
Conceptually, it's pretty simple - every Nth message inject one
message containing the hash of the previous N messages (including the
previous hash message). It also gave me an excuse to start digging
into the rsyslog code.
At first I thought I could do it with a property replacer, but that
seems a wash since those are wholly message-based and don't [seem to]
give the opportunity to store information (even a running hash) of
prior messages. A plugin was my next hope, but there doesn't seem to
be a good mechanism to pipeline those together - AFAICT they're
expected to be single ingress/egress points, with no interstitial
stages. I see the code for loading other objects as Rainer mentioned
in April, but that seems more for central functionality than for
chaining modules together.
This all brings me back to one of my original questions for rsyslog -
is module chaining something that is even on your radar? I'm thinking
normalization, hashing, encryption, etc. Almost feels like there
should be another layer here, maybe a "mangle" plugin interface that
could stack in after im* and before om*?
RB
it'd take to get rsyslog to perform running hashes of logs.
Conceptually, it's pretty simple - every Nth message inject one
message containing the hash of the previous N messages (including the
previous hash message). It also gave me an excuse to start digging
into the rsyslog code.
At first I thought I could do it with a property replacer, but that
seems a wash since those are wholly message-based and don't [seem to]
give the opportunity to store information (even a running hash) of
prior messages. A plugin was my next hope, but there doesn't seem to
be a good mechanism to pipeline those together - AFAICT they're
expected to be single ingress/egress points, with no interstitial
stages. I see the code for loading other objects as Rainer mentioned
in April, but that seems more for central functionality than for
chaining modules together.
This all brings me back to one of my original questions for rsyslog -
is module chaining something that is even on your radar? I'm thinking
normalization, hashing, encryption, etc. Almost feels like there
should be another layer here, maybe a "mangle" plugin interface that
could stack in after im* and before om*?
RB