<div>Jim,</div>
<div><br></div>
<div>  Mind if I ask you what the specs are on that system ?</div>
<div><br></div>
<div>John</div>
<div><br></div>
<div class="mailbox_signature">
<br>—<br>Sent from <a href="https://www.dropbox.com/mailbox">Mailbox</a>
</div>
<br><br><div class="gmail_quote"><p>On Fri, Apr 10, 2015 at 7:53 AM, Jim Hendrick <span dir="ltr">&lt;<a href="mailto:jrhendri@roadrunner.com" target="_blank">jrhendri@roadrunner.com</a>&gt;</span> wrote:<br></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div>
    
<div> I think it would depend on the filter. If it uses something that is readily available then maybe filter first.  If is a match within the message, then possibly not. </div>
<div><br></div>
<div>The patterndb parser is very fast. I have a single system pulling 24 fields out of a 7000 event per second load and it shows no sign of stress. </div>
<div><br></div>
<div>Jim</div>
<div><br></div>
<div><br></div>
<div><br></div>
<div id="composer_signature"><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div>
<br><br>-------- Original message --------<br>From: Mikkel Leth Carlsen &lt;mlca@tdc.dk&gt; <br>Date: 04/10/2015  2:11 AM  (GMT-05:00) <br>To: Syslog-ng users' and developers' mailing list &lt;syslog-ng@lists.balabit.hu&gt; <br>Subject: Re: [syslog-ng] db-parser reuse for multiple logs? <br><br>Hi Evan<br><br>Thanks! I'm not too familiar with how syslog-ng actually implements the configuration and processes syslog messages, but I would think that parsing before filtering could have an impact on performance? I.e. I would want to exclude unwanted data before applying the parser - which I assume is a more costly operation even if it does not match? Perhaps by inserting:<br><br>filter(filter_host1_or_host2);<br><br>before the parser below? <br><br>/Mikkel<br><br>&gt; -----Oprindelig meddelelse-----<br>&gt; Fra: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-<br>&gt; bounces@lists.balabit.hu] På vegne af Evan Rempel<br>&gt; Sendt: 8. april 2015 17:38<br>&gt; Til: syslog-ng@lists.balabit.hu<br>&gt; Emne: Re: [syslog-ng] db-parser reuse for multiple logs?<br>&gt; <br>&gt; I don't have an answer to your actual question, however, you can work<br>&gt; around it by<br>&gt; <br>&gt; log {<br>&gt;          source(src_udp);<br>&gt;          parser(myparser);<br>&gt;          log {<br>&gt;                  filter(filter_host1);<br>&gt;                  destination(dst_host1);<br>&gt;                  flags(final);<br>&gt;          };<br>&gt;          log {<br>&gt;                  filter(filter_host2);<br>&gt;                  destination(dst_host2);<br>&gt;                  flags(final);<br>&gt;          };<br>&gt; };<br>&gt; <br>&gt; Hope that helps.<br>&gt; <br>&gt; Evan.<br>&gt; <br>&gt; On 04/08/2015 04:31 AM, Mikkel Leth Carlsen wrote:<br>&gt; &gt; Hi<br>&gt; &gt;<br>&gt; &gt; Are db-parsers defined in syslog-ng configurations not reusable for<br>&gt; multiple logs?  A simplified example (syslog 3.6.2):<br>&gt; &gt;<br>&gt; &gt; parser myparser {<br>&gt; &gt;          db_parser(<br>&gt; &gt;                  file("/usr/local/etc/patterndb.d/myparser.xml")<br>&gt; &gt;          );<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; template mytemplate {<br>&gt; &gt;           template("${A};${B};${C}\n");<br>&gt; &gt; }<br>&gt; &gt;<br>&gt; &gt; filter filter_host1 {<br>&gt; &gt;          netmask(10.0.0.1/255.255.255.255);<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; filter filter_host2 {<br>&gt; &gt;          netmask(10.0.0.2/255.255.255.255);<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; destination dst_host1 {<br>&gt; &gt;          file("host1.log" perm(0644) template(mytemplate));<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt;<br>&gt; &gt; destination dst_host2 {<br>&gt; &gt;          file("host2.log" perm(0644) template(mytemplate));<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; log {<br>&gt; &gt;          source(src_udp);<br>&gt; &gt;          filter(filter_host1);<br>&gt; &gt;          parser(myparser);<br>&gt; &gt;          destination(dst_host1);<br>&gt; &gt;          flags(final);<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; log {<br>&gt; &gt;          source(src_udp);<br>&gt; &gt;          filter(filter_host2);<br>&gt; &gt;          parser(myparser);<br>&gt; &gt;          destination(dst_host2);<br>&gt; &gt;          flags(final);<br>&gt; &gt; };<br>&gt; &gt;<br>&gt; &gt; This seems to work as expected and 'syslog-ng -s' does not report any<br>&gt; problems, but I see the following in the syslog-ng internal log:<br>&gt; &gt;<br>&gt; &gt; Internal error, duplicate configuration elements refer to the same<br>&gt; persistent config; name='db-<br>&gt; parser(/usr/local/etc/patterndb.d/myparser.xml)'<br>&gt; &gt; Internal error, duplicate configuration elements refer to the same<br>&gt; persistent config; name='db-<br>&gt; parser(/usr/local/etc/patterndb.d/myparser.xml)'<br>&gt; &gt;<br>&gt; &gt; /Mikkel<br>&gt; &gt;<br>&gt; _______________________________________________________________________<br>&gt; _______<br>&gt; &gt; Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>&gt; &gt; Documentation:<br>&gt; http://www.balabit.com/support/documentation/?product=syslog-ng<br>&gt; &gt; FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br>&gt; &gt;<br>&gt; _______________________________________________________________________<br>&gt; _______<br>&gt; Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>&gt; Documentation:<br>&gt; http://www.balabit.com/support/documentation/?product=syslog-ng<br>&gt; FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br><br>______________________________________________________________________________<br>Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br>FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br><br></div></blockquote></div><br>