We use:

 

syslog-ng-ctl query get source.*.processed --reset

 

In a cron job just before midnight to capture the entire day’s stats. They show up in the format:

 

source.s_local.processed=4722471

source.s_BSD_TCP.processed=6299967

source.s_RFC5424_TCP.processed=0

source.s_network_source.processed=27695900

.

.

.

 

 

where “s_local”, “s_BSD_TCP”, etc. are the source names inside the syslog-ng.conf file. Note that the “—reset” on the end does just that, resets the stats to zero.

 

A little scripting to divide the numbers above by 86400 will give you the count of messages per second by source. (We convert ours to JSON and dump it into Splunk for later viewing.)

 

Regards,

Jonathan Wilson