You're right Matthew and this is why I won't use that solution (2 UDP sources). It was just a test. :-)<br>Instead, I'll use only one UDP source with the flag "no-parse" and a patterndb.<br><br>Regards,<br>
<br>Yann<br><br><br><div class="gmail_quote">2010/11/17 Matthew Hall <span dir="ltr"><<a href="mailto:mhall@mhcomputing.net" target="_blank">mhall@mhcomputing.net</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
As a connectionless protocol UDP cannot always detect existing listeners on all platforms. However if you think about it it's clear why this wouldn't work. How would it know which messages should be parse or noparse? It can't read your mind! ;)<br>
<br>
Matthew.<br>
<br>
Sent from my mobile device<br>
<div><div></div><div><br>
"Yann I." <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
<br>
>><br>
>> Does this work?<br>
>><br>
>> source s_udp_not_parsed { udp(port(514) flags(no-parse)); };<br>
>> source s_udp { udp(port(514)); };<br>
>><br>
>> (...)<br>
>><br>
>><br>
>I tried that solution few days ago and it didn't work. Two processes<br>
>"syslog-ng" listened on port UDP/514 : the messages are not handled<br>
>correctly. They would be handled by "s_udp_not_parsed" or "s_udp".<br>
><br>
>nb : it's strange that two processes can listen on the same port (for the<br>
>protocol UDP) isn't it ? This is the same behaviour with "netcat". I tried<br>
>with netcat (example : nc -l -u 1234) and I have two processes which listen<br>
>the port UDP/1234. Messages send by "nc" on the port 1234 are received by<br>
>the last "netcat" which has been started.<br>
><br>
><br>
>For passing yourself back the reparsed message I would recommend<br>
>> unix-dgram. AF_UNIX is usually better than pipes for me at least.<br>
>><br>
><br>
>Thank you ! I'll use AF_UNIX.<br>
><br>
>Regards,<br>
><br>
>Yann I.<br>
><br>
><br>
>2010/11/16 Matthew Hall <<a href="mailto:mhall@mhcomputing.net" target="_blank">mhall@mhcomputing.net</a>><br>
><br>
>> For passing yourself back the reparsed message I would recommend<br>
>> unix-dgram. AF_UNIX is usually better than pipes for me at least.<br>
>><br>
>> Matthew.<br>
>><br>
>> On Tue, Nov 16, 2010 at 12:14:53PM -0600, Martin Holste wrote:<br>
>> > Does this work?<br>
>> ><br>
>> > source s_udp_not_parsed { udp(port(514) flags(no-parse)); };<br>
>> > source s_udp { udp(port(514)); };<br>
>> ><br>
>> > log {<br>
>> > source(s_udp);<br>
>> > parser(db-parser());<br>
>> > destination(d_parsed);<br>
>> > };<br>
>> > log {<br>
>> > source(s_udp_not_parsed);<br>
>> > destination(d_not_parsed);<br>
>> > };<br>
>> ><br>
>> > Otherwise, try reassembling a no-parse like message with a different<br>
>> > output template.<br>
>> ><br>
>> > On Tue, Nov 16, 2010 at 11:13 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
>> > > Well I'm not sure because of the flag I used for the UDP source which<br>
>> is set<br>
>> > > to "no-parse".<br>
>> > ><br>
>> > > Here is my problem. From the UDP source, I may receive logs which are<br>
>> not<br>
>> > > "syslog compliance". So I'm using the flag 'no-parse' then I rewrite<br>
>> the<br>
>> > > message. After that rewrite, I forward the new message to the same<br>
>> syslog-ng<br>
>> > > server.<br>
>> > > Then... I can apply filter, parser, etc on that new message which is<br>
>> now<br>
>> > > "syslog compliance" :-)<br>
>> > ><br>
>> > > So, I think I can't use log statement. I need to use that mecanism...<br>
>> > > There might be another solution but this one seems to be a good<br>
>> solution.<br>
>> > ><br>
>> > ><br>
>> > > 2010/11/16 Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>><br>
>> > >><br>
>> > >> Ok, then this should be accomplished with a standard log statement<br>
>> > >> like you've already begun to write. What do your destinations look<br>
>> > >> like?<br>
>> > >><br>
>> > >> On Tue, Nov 16, 2010 at 10:58 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>> wrote:<br>
>> > >> > In fact, this is the same process... There is only one process.<br>
>> > >> ><br>
>> > >> ><br>
>> > >> > 2010/11/16 Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>><br>
>> > >> >><br>
>> > >> >> Why do you need separate syslog-ng processes running?<br>
>> > >> >><br>
>> > >> >> On Tue, Nov 16, 2010 at 10:49 AM, Yann I. <<a href="mailto:yann.frm@gmail.com" target="_blank">yann.frm@gmail.com</a>><br>
>> wrote:<br>
>> > >> >> > Hi !<br>
>> > >> >> ><br>
>> > >> >> > I have a question about the use of udp, unix-stream or pipe. I<br>
>> would<br>
>> > >> >> > like to<br>
>> > >> >> > forward a syslog message to the same syslog server like this :<br>
>> > >> >> ><br>
>> > >> >> > | log {<br>
>> > >> >> > | source (s_r_udp); (<-- listen on UDP/514)<br>
>> > >> >> > |<br>
>> > >> >> > | filter (....);<br>
>> > >> >> > | filter (....);<br>
>> > >> >> > | parser (...);<br>
>> > >> >> > |<br>
>> > >> >> > | destination (d_local_syslog); (<-- send the message to a<br>
>> local<br>
>> > >> >> > syslog<br>
>> > >> >> > by using unix-stream, udp or pipe mecanism)<br>
>> > >> >> > | };<br>
>> > >> >> ><br>
>> > >> >> > (...)<br>
>> > >> >> ><br>
>> > >> >> > | log {<br>
>> > >> >> > | source (s_local_syslog); (<--- here I receive the<br>
>> messages<br>
>> > >> >> > sent<br>
>> > >> >> > by<br>
>> > >> >> > the "d_syslog_loop")<br>
>> > >> >> > |<br>
>> > >> >> > | filter (...);<br>
>> > >> >> > | filter (...);<br>
>> > >> >> > | parser (...);<br>
>> > >> >> > |<br>
>> > >> >> > | destination (d_remote_syslog);<br>
>> > >> >> ><br>
>> > >> >> > I'm looking for the better way to send syslog message to the same<br>
>> > >> >> > syslog<br>
>> > >> >> > server : which mecanism provides the better performances : pipe,<br>
>> udp<br>
>> > >> >> > (by<br>
>> > >> >> > using network) or unix-stream ?<br>
>> > >> >> > Maybe the "pipe" is the better solution ?...<br>
>> > >> >> ><br>
>> > >> >> > I'm using the syslog-ng OSE 3.1.2 on CentOS.<br>
>> > >> >> ><br>
>> > >> >> > Regards,<br>
>> > >> >> ><br>
>> > >> >> > Yann I.<br>
>> > >> >> ><br>
>> > >> >> ><br>
>><br>
</div></div></blockquote></div><br>