Certainly! It's not an optimal solution, but the one big benefit you get is that the regexp happens in a different PID, so syslog-ng, in its current single-threaded model, doesn't have to burn resources doing the parsing. This is, of course, assuming that the parsing would be a greater overhead than the pipe overhead, which may or may not be true. Unless you're seeing high CPU utilization on syslog-ng, I totally agree with you and recommend keeping everything in Syslog-NG if at all possible. On Fri, Oct 15, 2010 at 11:39 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Fri, 2010-10-15 at 14:43 -0500, Martin Holste wrote:
I'll chime in here to once again recommending piping to Perl using program() if you have crazy stuff to do. In your case, you could have a very simple (one liner, really) script that does the regex hostname rewrite so that hostXX would get rewritten to just XX or something easy for syslog-ng to filter on and route to the appropriate destination. Just have a socket source available as the destination from Perl and a source in syslog-ng to complete the circuit.
syslog-ng itself is able to do regexp transformations, it is just hidden under "filter" currently. you don't need to pipe out perl and back again.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html