My take is that small is good, so I'd use separate db-parser instances. Not to mention that sometimes db parser is not the best to parse CSV or key value data, CV and splitting by application gives you the chance to perform parsing differently On Oct 7, 2016 9:02 PM, "Scot Needy" <scotrn@gmail.com> wrote:

I have some code that can pull subnet info from IPplan or Solarwinds to generate 3 conf files.

dynamic-dest.conf destination d_192_168_1_0 { file(/opt/syslog-ng/logs/192_ 168_1_0/$YEAR$MONTH$DAY-$HOUR-$HOST.log);};

dynamic-filter.conf filter f_192_168_1_0 { netmask(192.168.1.0/24);};

dynamic-logs.conf log { source(s_net); filter(f_192_168_1_0); destination(d_192_168_1_0);};

Many but not all of these subnets a specific to an application like “Cisco ASA, VMware or server"

This works well for flat file archiving but when using a pattern database would it be best to have one single large patterndb or define unique ones for each area when splitting that data stream to ES ?

log { source(s_net); parser(pattern_db); destination(d_es);};

OR log { source(s_net); filter(f_192_168_1_0); parser(ESXpattern_db) ;destination(d_es);}; log { source(s_net); filter(f_192_168_2_0); parser(ASApattern_db) ;destination(does);}; …

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq