[syslog-ng] conf file structure best practice for patterns
Scheidler, Balázs
balazs.scheidler at balabit.com
Sat Oct 8 07:20:27 UTC 2016
My take is that small is good, so I'd use separate db-parser instances. Not
to mention that sometimes db parser is not the best to parse CSV or key
value data, CV and splitting by application gives you the chance to perform
parsing differently
On Oct 7, 2016 9:02 PM, "Scot Needy" <scotrn at gmail.com> wrote:
>
> I have some code that can pull subnet info from IPplan or Solarwinds to
> generate 3 conf files.
>
> dynamic-dest.conf
> destination d_192_168_1_0 { file(/opt/syslog-ng/logs/192_
> 168_1_0/$YEAR$MONTH$DAY-$HOUR-$HOST.log);};
>
> dynamic-filter.conf
> filter f_192_168_1_0 { netmask(192.168.1.0/24);};
>
> dynamic-logs.conf
> log { source(s_net); filter(f_192_168_1_0);
> destination(d_192_168_1_0);};
>
>
> Many but not all of these subnets a specific to an application like “Cisco
> ASA, VMware or server"
>
> This works well for flat file archiving but when using a pattern database
> would it be best to have one single large patterndb or define unique ones
> for each area when splitting that data stream to ES ?
>
> log { source(s_net); parser(pattern_db); destination(d_es);};
>
> OR
> log { source(s_net); filter(f_192_168_1_0); parser(ESXpattern_db)
> ;destination(d_es);};
> log { source(s_net); filter(f_192_168_2_0); parser(ASApattern_db)
> ;destination(does);};
> …
>
>
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161008/4ca9d7bb/attachment.html>
More information about the syslog-ng
mailing list