<div dir="ltr">Hi!<div><br></div><div>@<span style="color:rgb(33,33,33);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;font-weight:700;white-space:nowrap">György</span> </div><div>My ultimate goal is to replicate the file/directory for the apache logs on the remote server and create the same structure on my syslog server, perhaps /var/log/$HOST/..... separated from the "OS" logs. </div><div><br></div><div>As i mention, this is the ultimate goal. With the example @Gergely provided. It seems more possible now. </div><div><br></div><div>This is due to there are current mechanism of transferring application logs over but its the least friendly approach. Hence the spark of this thread to look into better delivery methods.</div><div><br></div><div>Since we are on this topic. I don't see the file module in syslog-ng having any option that support writing these metadata into the respective fields in the IETF syslog-ng variables. Means I have to use a rewrite module of some sort to manipulate the metadata right? </div><div><br></div><div>I am getting your point and getting a rough picture of the "pipeline" in my mind now. </div><div><br></div><div>@Gergely</div><div>I am unable to change the format of the apache logs. </div><div><br></div><div>Yes i understand it does not matter becox in the example. syslog-ng would be using the classic BSD syslog.</div><div><br></div><div>Essentially, the entire csv parsed value would be in the MSG field in the BSD syslog-ng. So its sort of "cut" in linux to split the filepath n the log entry. </div><div><br></div><div>Let me give this two options a try. Using the IEFT syslog protocol vs rewritting the MSG field .</div><div><br></div><div>Thanks!</div><div><br></div><div>Yours Sincerely,</div><div>Delon Lee</div><div><br></div><div><br><div class="gmail_quote"><div dir="ltr">On Wed, 9 May 2018 at 21:18 Gergely Nagy <<a href="mailto:algernon@balabit.com">algernon@balabit.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">>>>>> "Delon" == Delon Lee Di Lun <<a href="mailto:lee.delon2005@gmail.com" target="_blank">lee.delon2005@gmail.com</a>> writes:<br>
<br>
Delon> However, Would it be performance "greedy"?<br>
<br>
It will certainly be slower than if you changed Apache to log to a<br>
format that's easier to transport and work with on the server side. But<br>
the CSV parser is quite performant.<br>
<br>
Delon> I read about the new BSD syslog protocol and IETF syslog protocol, doing<br>
Delon> comparison on the cost-benifit analysis on "upgrading" to using the<br>
Delon> protocol.<br>
<br>
In this case, it doesn't matter, because we don't use the protocol, at<br>
least, not in my example.<br>
<br>
Delon> I saw that the new IETF syslog protocol cater for a "APP-NAME" variable.<br>
Delon> Logically speaking, would I able to read in the logs, specify the<br>
Delon> "APP-NAME", on the server site, filter out this "APP-NAME"?<br>
<br>
Yeah, that's a possibility too. But if all you want is store the logs<br>
as-is on the server side, parsing them fully is much more expensive than<br>
what I showed.<br>
<br>
You can use a rewrite rule to change the app name, and then you can<br>
filter on that on the server side. But if you use the filtering to route<br>
messages to files, you can just use a templated filename, which would be<br>
both faster, and the configuration would be a lot shorter too. The<br>
downside is that you need to trust the incoming logs to have the correct<br>
filename.<br>
<br>
-- <br>
|8]<br>
</blockquote></div></div></div>