Confused by badges

Michael Bushey's Avatar

Michael Bushey

27 May, 2015 06:34 PM

I do not understand how badges work. 1st off, why does the http badge of "4" match on 404? I'm guessing that "4" : "warning", is somehow matching one the 4s in 404, and then applying 'class="label label-XXX' where in this case XXX is warning.

I added under badges:
                "rfc3164": {
                        "notice" : "info",
                        "warning" : "warning"
                }

and then:
[match] "Severity" : 2,
[types] "Severity" : "badge:rfc3164",

All the notice levels are grey, no color.

log format:

web01 notice ...
web05 warning ...

Thanks again. :)

  1. 1 Posted by Michael Bushey on 28 May, 2015 10:35 PM

    Michael Bushey's Avatar

    Playing around further I'm even more confused. I'm now logging $LEVEL_NUM instead of $LEVEL from the syslog-ng template. From my config.user.php:

                    "http": {
                            "1" : "info",
                            "2" : "success",
                            "3" : "default",
                            "4" : "warning",
                            "5" : "danger"
                    },
                    "rfc3164": {
                            "0" : "info",
                            "4" : "warning",
                            "6" : "info"

                    }

    log format:
    1432849313 web02 6 Copied prod DB into scrub DB
    1432849329 web03 4 Copied prod DB into scrub DB

    When I have:
    "Level" : "badge:http",
    the level of 4 shows up in yellow

    When I have:
    "Level" : "badge:rfc3164",
    the level of 4 shows up in grey

    WHY?? And I jstill do not grasp why the badge:http matches 3 digit codes against 1 digit keys.

    P.S. PML rocks. :)

  2. Support Staff 2 Posted by potsky on 29 May, 2015 07:19 AM

    potsky's Avatar

    Hi !

    I agree : badges are really confused :-)

    Here is the javascript code to parse badges :

    if ( 'badge' === type.parser )
    {
        var clas;
    
        if ( type.param === 'http' )
        {
            clas = badges[ type.param ][ logs.logs[log][ c ].substr( 0 , 1 ) ];
        }
    
        else if ( type.param === 'severity' )
        {
            clas = badges[ type.param ][ logs.logs[log][ c ].toLowerCase() ];
            if ( clas === undefined )
            {
                clas = badges[ type.param ][ logs.logs[log][ c ] ];
            }
        }
    
        if ( clas === undefined )
        {
            clas = 'default';
        }
    
        val = '<span class="label label-' + clas + '">' + val_cut( val , type.cut ) + '</span>';
    }
    

    As you can see, only http and severity badges can be applied. You cannot create new badges.

    1. http badge

    as you can see in this JS code clas = badges[ type.param ][ logs.logs[log][ c ].substr( 0 , 1 ) ];, the http badge get the first char of the log token and apply the corresponding class.

    So all 1xx log tokens will have class info when all 4xx log tokens will have class warning.

    2. severity badge

    Severity matches a full log token to a class. It is case insensitive.

    3. Answer

    When I have: "Level" : "badge:rfc3164", the level of 4 shows up in grey

    as you can see in the JS code, when badge name is not http or severity, the class is default :

    if ( clas === undefined )
    {
        clas = 'default';
    }
    

    In your case, just keep the severity name and add in this badge the tokens you want to assign to a css class :

    "severity": { 
        "0" : "info", 
        "4" : "warning", 
        "6" : "info"
    }
    

    Does it work now ?

  3. 3 Posted by Michael Bushey on 29 May, 2015 05:20 PM

    Michael Bushey's Avatar

    I used severity like you recommended and it's working. :) I would guess it would be a good idea to eventually support the rfc3164 standard, both as descriptions like "info" and numerical levels like "6". https://www.ietf.org/rfc/rfc3164.txt

    Most loggers use <PRI> which requires bit masking to only look at the 3 LSBs (AND it with 7).

    Thanks for your help, PML is really becoming quite invaluable. :)

  4. Support Staff 4 Posted by potsky on 29 May, 2015 09:19 PM

    potsky's Avatar

    Could you send me your rfc3164 badge associative array please ?

    I will include it in the next release.

  5. 5 Posted by Michael Bushey on 29 May, 2015 10:43 PM

    Michael Bushey's Avatar

    This is what I used:
                    "severity": {
                            "0" : "danger",
                            "1" : "danger",
                            "2" : "danger",
                            "3" : "danger",
                            "4" : "warning",
                            "5" : "info",
                            "6" : "success",
                            "7" : "primary"
    }

    syslog-ng can log these numbers with $LEVEL_NUM, and also $LEVEL for the description.

    from /usr/include/sys/syslog.h:
    define LOG_EMERG 0 /* system is unusable */
    define LOG_ALERT 1 /* action must be taken immediately */
    define LOG_CRIT 2 /* critical conditions */
    define LOG_ERR 3 /* error conditions */
    define LOG_WARNING 4 /* warning conditions */
    define LOG_NOTICE 5 /* normal but significant condition */
    define LOG_INFO 6 /* informational */
    define LOG_DEBUG 7 /* debug-level messages */

    I remember $LEVEL logging "notice" and "info" all lower case.

  6. 6 Posted by Michael Bushey on 29 May, 2015 11:38 PM

    Michael Bushey's Avatar

    I set up this template in syslog-ng: template("$LEVEL_NUM $LEVEL $MSG\n")

    and then used logger to send to all 8 levels:

    0 emerg Level test
    1 alert Level test
    2 crit Level test
    3 err Level test
    4 warning Level test
    5 notice Level test
    6 info Level test
    7 debug Level test

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac