quick question on host() in syslog-ng 3.1.4
Folks, I want host() to do a literal, exact string match instead of regex. For message() you can do this: message("foo" type("string")) and get an exact string match. Does this type() and flags() (so you can do substrings) also work on the host() operator? This is on syslog-ng 3.1.4. I finally moved off of Solaris (easier to just get a Linux box up and running it turned out) and am attempting to modify the insane config I have to be more performance friendly. I've got about 300 host() matches going on, dumping hosts to various folder structures, and figured that if I could get it to do an exact match instead of regex it would be that much more efficient. Of course, I could always do host("^192\.168\.1\.1$") but that seems kind of silly when I don't need regex at all. FWIW, syslog-ng -s doesn't complain about this in the config, and it starts/runs fine, I just can't tell if it's still using regex or not. Thanks, --Mike
Mishou Michael <Michael.Mishou@csirc.irs.gov> writes:
I want host() to do a literal, exact string match instead of regex. For message() you can do this: message("foo" type("string")) and get an exact string match. Does this type() and flags() (so you can do substrings) also work on the host() operator?
As far as I can see, yes. Though, flags sets regexp flags, it probably won't work with strings. If you want substring matches, which are faster than regexps, then type("glob") might be of interest to you.
Of course, I could always do host("^192\.168\.1\.1$") but that seems kind of silly when I don't need regex at all.
FWIW, syslog-ng -s doesn't complain about this in the config, and it starts/runs fine, I just can't tell if it's still using regex or not.
A quick look at the sources suggest that host() does indeed support type("string"). But it's reasonably easy to verify: If the following filter works, then it's using a regex, despite told otherwise: filter f_test { host("^.*$" type("string")); }; A quick question though: wouldn't it be more efficient to use templates instead of filters? While it's not suitable in all cases, when you only want to direct each hosts' logs to a different file, then something like the following would be more efficient than filters: destination d_hosts { file ("/var/log/hosts/$HOST.log"); }; -- |8]
Gergely, Thanks for the quick response, as always. I'll keep glob in mind for substrings, what I had been doing was message("foo" type("string") flags("substring")); but it seems like glob would be less typing :-). Re: templates, absolutely! I'm trying to get the old config in a working state so I can concentrate on getting a new, much less complicated config in place. I envision templating being a big part of it, then just using symlinks to make things easier on the humans, or a hosts file with names I'd prefer instead of the IP addresses we'd end up with for the various devices. Thanks for the help! Regards, --Mike -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Gergely Nagy Sent: Thursday, June 16, 2011 1:25 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] quick question on host() in syslog-ng 3.1.4 Mishou Michael <Michael.Mishou@csirc.irs.gov> writes:
I want host() to do a literal, exact string match instead of regex. For message() you can do this: message("foo" type("string")) and get an exact string match. Does this type() and flags() (so you can do substrings) also work on the host() operator?
As far as I can see, yes. Though, flags sets regexp flags, it probably won't work with strings. If you want substring matches, which are faster than regexps, then type("glob") might be of interest to you.
Of course, I could always do host("^192\.168\.1\.1$") but that seems kind of silly when I don't need regex at all.
FWIW, syslog-ng -s doesn't complain about this in the config, and it starts/runs fine, I just can't tell if it's still using regex or not.
A quick look at the sources suggest that host() does indeed support type("string"). But it's reasonably easy to verify: If the following filter works, then it's using a regex, despite told otherwise: filter f_test { host("^.*$" type("string")); }; A quick question though: wouldn't it be more efficient to use templates instead of filters? While it's not suitable in all cases, when you only want to direct each hosts' logs to a different file, then something like the following would be more efficient than filters: destination d_hosts { file ("/var/log/hosts/$HOST.log"); }; -- |8] ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Gergely Nagy
-
Mishou Michael