On Sun, 2010-01-24 at 22:27 -0800, Alexei Shilin wrote:
Hi! I have source src { unix-stream("/dev/log" max-connections(512)); internal(); file("/proc/kmsg"); udp(port(514)); }; ... source temp { udp(port(514)); };
and then I have to log rules: one for src and one for temp, no flags are set.
Will those two sources play nice with each other and will not interfer? E.g. if one reads from that port, will the log message that was read by the first available for read by the second?
this won't work and will result in a bind error when the second source is being initialized. I don't know what you want to accomplish, but the "tags" feature of syslog-ng 3.1 may be useful for you. With that you can tag a message as it enters syslog-ng: source s_udp { udp(port(514) tags("net-message")); }; source s_tcp { tcp(tags("net-message")); }; filter f_net { tags("net-message"); }; log { filter(f_net); destination(...); flags(catch-all); }; you can also attach tags via patterndb, and it is quite useful to know that tag based filtering is really fast (since it only takes one bit comparison to evaluate). this is way faster than host/program/etc based filtering. -- Bazsi