Granted I haven't used Kiwi in a few years and I'm sure it's much better than it was (I hear they finally added multi-core support), but if you've got under 50,000 events per second, couldn't you just go <br>
<br>
<tt>[9000 originating devices] -> </tt><tt>[1 syslog-ng server] -> </tt><tt>[4 RSA Envision collectors]</tt><br><br>or, if you've really got that many events, <br><br>
<tt>[9000 originating devices] -> </tt><tt>[F5 load balancer] -> </tt><tt>[2 syslog-ng servers] -> </tt><tt>[4 RSA Envision collectors]</tt><br><br>in short, what do you need the Kiwi servers for? Also, I'm using Cisco server load balancing (available in many IOS versions) to distribute logs across multiple Syslog-NG instances, and it works very well for providing both load balancing and high availability. That may save you from having to use the F5 if you're not using it for anything else.<br>
<br>--Martin<br><br><div class="gmail_quote">On Fri, Oct 30, 2009 at 8:59 AM, <span dir="ltr"><<a href="mailto:Phil.Newlon@wendysarbys.com">Phil.Newlon@wendysarbys.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<p><tt>The netmask() filter won't work for me because I have forwarding devices between the originating devices and the syslog-ng server.</tt><br>
<br>
<tt>[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers] -> [1 syslog-ng server]</tt><br>
<tt> -> [4 RSA Envision collectors]</tt><br>
<br>
<tt>netmask() sees the eight kiwi servers, not the originating device. I need to distribute the 9000 originating devices across the four RSA devices, so the only way I can see to do that is with a match(IP regex).</tt><br>
<br>
<tt>Thanks,</tt><br>
<br>
<tt>Phil</tt><br>
<br>
<br>
<img src="cid:1__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="Inactive hide details for Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover" height="16" width="16" border="0"><font color="#424282">Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover this with the netmask()</font><br>
<br>
</p><table cellpadding="0" cellspacing="0" width="100%" border="0">
<tbody><tr valign="top"><td width="1%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="96" border="0"><br>
<font size="2" color="#5f5f5f">From:</font></td><td width="100%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="1" border="0"><br>
<font size="2">Robert Fekete <<a href="mailto:frobert@balabit.com" target="_blank">frobert@balabit.com</a>></font></td></tr>
<tr valign="top"><td width="1%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="96" border="0"><br>
<font size="2" color="#5f5f5f">To:</font></td><td width="100%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="1" border="0"><br>
<font size="2">Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>></font></td></tr>
<tr valign="top"><td width="1%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="96" border="0"><br>
<font size="2" color="#5f5f5f">Date:</font></td><td width="100%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="1" border="0"><br>
<font size="2">10/30/2009 06:21 AM</font></td></tr>
<tr valign="top"><td width="1%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="96" border="0"><br>
<font size="2" color="#5f5f5f">Subject:</font></td><td width="100%"><img src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" alt="" height="1" width="1" border="0"><br>
<font size="2">Re: [syslog-ng] problem with matching IP address and \d regex operand</font></td></tr>
</tbody></table>
<hr style="color: rgb(128, 145, 165);" noshade size="2" width="100%" align="left"><div><div></div><div class="h5"><br>
<br>
<br>
<tt>Hi,<br>
<br>
I don't know much about regexps, but couldn't you cover this with the netmask()<br>
filter?<br>
<br>
Regards,<br>
<br>
Robert<br>
<br>
<a href="mailto:Phil.Newlon@wendysarbys.com" target="_blank">Phil.Newlon@wendysarbys.com</a> wrote:<br>
<br>
> <br>
> I am using this regular expression with Kiwi Syslog to distribute messages<br>
> to several destinations based on the last number of the third octet (0-4<br>
> goes one place, 5-9 goes another).<br>
> <br>
> "10\.\d+\.\d*[0-4]\."<br>
> <br>
> This doesn't work with syslog-ng, of course, but based on my research of<br>
> the archives, this should do the same thing because I've escaped the "\d"<br>
> <br>
> match("10\.\\d+\.\\d*[0-4]\.")<br>
> <br>
> Nope, I get nothing. I've shortened it to just<br>
> <br>
> match("10\.\\d+")<br>
> <br>
> and still get no matching messages.<br>
> <br>
> This sort of works, but gives some unexpected results:<br>
> <br>
> match("10\.[0-9]+\.[0-9]*[0-4]\.")<br>
> <br>
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this<br>
> log message. I didn't expect a match on 10.87.48.4 from it because of the<br>
> '8' as the last number of the third octet not matching '0-4'<br>
> <br>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4<br>
> MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009<br>
> 538 Security pos User Success Audit POS0408748<br>
> Logon/Logoff User Logoff: User Name: pos Domain:<br>
> POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033<br>
> <br>
> <br>
> <br>
> So, I have two questions.....<br>
> <br>
> What's wrong with this:<br>
> <br>
> match("10\.\\d+\.\\d*[0-4]\.")<br>
> <br>
> And why did this<br>
> match("10\.[0-9]+\.[0-9]*[0-4]\.")<br>
> match this<br>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20<br>
> 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29<br>
> 16:31:17 2009 538 Security pos User Success Audit<br>
> POS0408748 Logon/Logoff User Logoff: User Name: pos<br>
> Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3<br>
> 42921033<br>
> <br>
> Thanks!<br>
> <br>
> Phil<br>
> <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span><br>
> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span><br>
> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span><br>
> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span><br>
> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span><br>
> <br>
> <br>
> ------------------------------------------------------------------------<br>
> <br>
> ______________________________________________________________________________<br>
> Member info: </tt><tt><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
> Documentation: </tt><tt><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a></tt><tt><br>
> FAQ: </tt><tt><a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a></tt><tt><br>
> <br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: </tt><tt><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
Documentation: </tt><tt><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a></tt><tt><br>
FAQ: </tt><tt><a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a></tt><tt><br>
<br>
</tt><br>
<br>
</div></div></div>
<pre><span style="font-size: 78%;"><span style="font-family: arial;"><b>Notice:</b> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span><div class="im">
<span style="font-family: arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
</div><div class="im"><span style="font-family: arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
</div><div class="im"><span style="font-family: arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
</div><div class="im"><span style="font-family: arial;">error, please notify the sender and delete this message entirely from your system.</span></div></span>
</pre><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br>