Granted I haven't used Kiwi in a few years and I'm sure it's much better than it was (I hear they finally added multi-core support), but if you've got under 50,000 events per second, couldn't you just go

[9000 originating devices] -> [1 syslog-ng server] -> [4 RSA Envision collectors]

or, if you've really got that many events,

[9000 originating devices] -> [F5 load balancer] -> [2 syslog-ng servers] -> [4 RSA Envision collectors]

in short, what do you need the Kiwi servers for?  Also, I'm using Cisco server load balancing (available in many IOS versions) to distribute logs across multiple Syslog-NG instances, and it works very well for providing both load balancing and high availability.  That may save you from having to use the F5 if you're not using it for anything else.

--Martin

On Fri, Oct 30, 2009 at 8:59 AM, <Phil.Newlon@wendysarbys.com> wrote:

The netmask() filter won't work for me because I have forwarding devices between the originating devices and the syslog-ng server.

[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers] -> [1 syslog-ng server]
                                                                            -> [4 RSA Envision collectors]

netmask() sees the eight kiwi servers, not the originating device.  I need to distribute the 9000 originating devices across the four RSA devices, so the only way I can see to do that is with a match(IP regex).

Thanks,

Phil


Inactive hide details for Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you coverRobert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover this with the netmask()


From:
Robert Fekete <frobert@balabit.com>

To:
Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>

Date:
10/30/2009 06:21 AM

Subject:
Re: [syslog-ng] problem with matching IP address and \d regex operand



Hi,

I don't know much about regexps, but couldn't you cover this with the netmask()
filter?

Regards,

Robert

Phil.Newlon@wendysarbys.com wrote:

>
> I am using this regular expression with Kiwi Syslog to distribute messages
> to several destinations based on the last number of the third octet (0-4
> goes one place, 5-9 goes another).
>
>      "10\.\d+\.\d*[0-4]\."
>
> This doesn't work with syslog-ng, of course, but based on my research of
> the archives, this should do the same thing because I've escaped the "\d"
>
>      match("10\.\\d+\.\\d*[0-4]\.")
>
> Nope, I get nothing.  I've shortened it to just
>
>      match("10\.\\d+")
>
> and still get no matching messages.
>
> This sort of works, but gives some unexpected results:
>
>      match("10\.[0-9]+\.[0-9]*[0-4]\.")
>
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this
> log message.  I didn't expect a match on 10.87.48.4 from it because of the
> '8' as the last number of the third octet not matching '0-4'
>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
> MSWinEventLog  0       Security        71000   Thu Oct 29 16:31:17 2009
> 538     Security        pos     User    Success Audit   POS0408748
> Logon/Logoff            User Logoff:     User Name: pos     Domain:
> POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3         42921033
>
>
>
> So, I have two questions.....
>
> What's wrong with this:
>
>      match("10\.\\d+\.\\d*[0-4]\.")
>
> And why did this
>    match("10\.[0-9]+\.[0-9]*[0-4]\.")
> match this
>      Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> 10.87.48.4 MSWinEventLog  0       Security        71000   Thu Oct 29
> 16:31:17 2009        538     Security        pos     User    Success Audit
> POS0408748      Logon/Logoff            User Logoff:     User Name: pos
> Domain:  POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
> 42921033
>
> Thanks!
>
> Phil
> <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
>
>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html



Notice: This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. 

or one of its subsidiaries and may contain confidential or legally privileged information intended

solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or

distribution of this message or its attachments is strictly prohibited. If you received this message in

error, please notify the sender and delete this message entirely from your system.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html