If the order of the WELF elements stays the same, then you can use csv-parser with a space delimiter or db-parser to grab the terms. Otherwise, we were just discussing possibilities yesterday on this list under the subject "advice/assistance with parsing attempt requested" in which a possible feedback loop could be used with db-parser to break apart the WELF elements. In addition to a log sample, can you tell us what exactly you want to do depending on the WELF element values? On Tue, Dec 7, 2010 at 3:18 PM, Matthew Hall <mhall@mhcomputing.net> wrote:

On Tue, Dec 07, 2010 at 11:13:08AM +0100, Yann I. wrote:

...

Hello,

I would like to know whether syslog-ng can receive and manage logs which have the welf format ?

Regards,

Yann I.

Hi Yann,

It depends on what you are trying to do with it. In principle it's supported and you can decode it with a patterndb if the fields in your WELF are predictable. If the fields are not that predictable it's going to be more difficult.

I am using an extended WELF style format as a kind of IPC interface between downstream syslog-ngs that filter and break apart messages, and upstream ones that do database warehousing and anomaly detection.

Processing a whole ton of large WELF messages at a high rate of speed is very tricky in Perl, because regexes are too slow and there is no good equivalent to strtok or other low level C style tokenization techniques.

Can you supply sample messages so we could give you better advice?

Matthew. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html