Hi I am wondering if there is a way to config syslog-ng so that * it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process? for example: HOST A runs all follwing processes which all write to same port 908 proces A process b process c but different log files are created for each process. thanks --------------------------------- Don't pick lemons. See all the new 2007 cars at Yahoo! Autos.
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world). Kalin. -- | A | | D | | J | | P |
hi kalin not sure what you mean include pid? how to add pid in msg? can you give me an example thanks Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> wrote: jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world). Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar.
[fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com>/* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P |
Thanks Kalin But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta.
you need a way to differential between the 3 processes. Are they three instances of the same program or different programs? It would help if you could give us an example of the logs. Hari Sekhon jawed abbasi wrote:
Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering.
thanks
*/Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com>/* wrote:
[fixed quoting]
Hi Jawed,
jawed abbasi wrote: >> */Kalin KOZHUHAROV /* wrote: >> >> jawed abbasi wrote: >>> Hi >>> >>> I am wondering if there is a way to config syslog-ng so that >>> >>> * it receives data from multiple processes running on the same >>> source hosts and writting top the same port, without using >>> (facility or severity levels) and still syslog writes a separate >>> logfile for each process? >>> >> Yes, it depends. >> >>> for example: >>> >>> HOST A runs all follwing processes which all write to same port >>> 908 >>> >>> proces A >>> process b >>> process c >>> >>> but different log files are created for each process. >> >> If you can distinguish the output of each process, syslog-ng can >> also (via regex). A simple way to do that is to include PID in each >> MSG (a very common approach in non-Windoze world). > > > not sure what you mean include pid? how to add pid in msg? can you > give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs:
Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942)
Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax.
That is it.
[1] http://en.wikipedia.org/wiki/Process_identifier
All the best,
Kalin.
-- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------ Everyone is raving about the all-new Yahoo! Mail beta. <http://us.rd.yahoo.com/evt=45083/*http://advision.webevents.yahoo.com/mailbeta>
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi Hari they are 3 diffferent programs, so here is the naming convention AP-CC-AXXXX AP= process type cc= company code A= technology type xxxx = host number So on host XXXX there 6 process running which Always have AP same cc different A same xxxx same So the only way I can differentiate them is by CC which is unique to all processes. Thanks Hari Sekhon <hpsekhon@googlemail.com> wrote: you need a way to differential between the 3 processes. Are they three instances of the same program or different programs? It would help if you could give us an example of the logs. Hari Sekhon jawed abbasi wrote: Thanks Kalin But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta. --------------------------------- _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- The fish are biting. Get more visitors on your site using Yahoo! Search Marketing.
do the logs always specify the name of the program that is logging? If so use 3 regex filters and 3 separate destinations, then use log statements to filter each program name to each destination. See the manual for how to do filters, destinations and logs if you are unsure of the syntax. eg. programname1: the program has done something worth logging programname2: this program is starting up These can be filtered by the actual log content themselves by using match("programname1:"); inside a filter{}; and then using the filter inside a log{}; statement with a separate destination{}; for the log statement so that only logs matching the filter are sent to that destination. If the program doesn't give it's own name in the log then what kind of program is that! eg "hello this is a log to tell you an error has occurred, but you will have to get which program on the whole OS generated it." -h Hari Sekhon jawed abbasi wrote:
Hi Hari
they are 3 diffferent programs, so here is the naming convention
AP-CC-AXXXX
AP= process type cc= company code A= technology type xxxx = host number
So on host XXXX
there 6 process running which Always have AP same cc different A same xxxx same
So the only way I can differentiate them is by CC which is unique to all processes.
Thanks
*/Hari Sekhon <hpsekhon@googlemail.com>/* wrote:
you need a way to differential between the 3 processes. Are they three instances of the same program or different programs? It would help if you could give us an example of the logs.
Hari Sekhon
jawed abbasi wrote:
Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering.
thanks
*/Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com>/* wrote:
[fixed quoting]
Hi Jawed,
jawed abbasi wrote: >> */Kalin KOZHUHAROV /* wrote: >> >> jawed abbasi wrote: >>> Hi >>> >>> I am wondering if there is a way to config syslog-ng so that >>> >>> * it receives data from multiple processes running on the same >>> source hosts and writting top the same port, without using >>> (facility or severity levels) and still syslog writes a separate >>> logfile for each process? >>> >> Yes, it depends. >> >>> for example: >>> >>> HOST A runs all follwing processes which all write to same port >>> 908 >>> >>> proces A >>> process b >>> process c >>> >>> but different log files are created for each process. >> >> If you can distinguish the output of each process, syslog-ng can >> also (via regex). A simple way to do that is to include PID in each >> MSG (a very common approach in non-Windoze world). > > > not sure what you mean include pid? how to add pid in msg? can you > give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs:
Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942)
Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax.
That is it.
[1] http://en.wikipedia.org/wiki/Process_identifier
All the best,
Kalin.
-- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------ Everyone is raving about the all-new Yahoo! Mail beta. <http://us.rd.yahoo.com/evt=45083/*http://advision.webevents.yahoo.com/mailbeta>
------------------------------------------------------------------------ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------ The fish are biting. Get more visitors <http://us.rd.yahoo.com/evt=49679/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php?o=US2140&cmp=Yahoo&ctv=Q107Tagline&s=Y&s2=EM&b=50> on your site using Yahoo! Search Marketing. <http://us.rd.yahoo.com/evt=49679/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php?o=US2140&cmp=Yahoo&ctv=Q107Tagline&s=Y&s2=EM&b=50>
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi Jawad, Have you considered using the program name filter utility? eg: filter f_appA { program(appA); }; I'm using it in my current application and it seems to work very nicely. Regards Anthony
jawed abbasi <jabbasi@yahoo.com> 16/01/2007 5:21 p.m. >>> Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog-ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog-ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non-Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test -x /usr/sbin/run-crons && /usr/sbin/run-crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta.
Sorry, I just realised your log messagess are coming from a different device so, as someone else has said, use the match() utility instead. Anthony
"anthony lineham" <anthony.lineham@alliedtelesis.co.nz> 01/17/07 8:56 AM >>> Hi Jawad,
Have you considered using the program name filter utility? eg: filter f_appA { program(appA); }; I'm using it in my current application and it seems to work very nicely. Regards Anthony
jawed abbasi <jabbasi@yahoo.com> 16/01/2007 5:21 p.m. >>> Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog- ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog- ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non- Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html --------------------------------- Everyone is raving about the all- new Yahoo! Mail beta. _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html
anthony does this matching or filtering costs in terms of CPU and MEM. I mean if I use this will it raise CPU usage drastically. My applications are logging hogs, just to give you idea that just programA generate few 100 MB in an hour. will you be able to point me to some more reading material regarding this match and filter I have got involved lately with syslog-ng, so I am not wel versed with syslog-ng. also i have heard about using macros, Is this match and filter utility a type of Macro? thanks anthony lineham <anthony.lineham@alliedtelesis.co.nz> wrote: Sorry, I just realised your log messagess are coming from a different device so, as someone else has said, use the match() utility instead. Anthony
"anthony lineham" 01/17/07 8:56 AM >>> Hi Jawad,
Have you considered using the program name filter utility? eg: filter f_appA { program(appA); }; I'm using it in my current application and it seems to work very nicely. Regards Anthony
jawed abbasi 16/01/2007 5:21 p.m. >>> Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog- ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog- ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non- Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html --------------------------------- Everyone is raving about the all- new Yahoo! Mail beta. _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit.
Hi Jawad, You can read about it in the reference manual that comes with the code distribution (doc/reference/syslog-ng.html.tar.gz). That's where I learnt about it. As far as CPU and memory costs go, I think there will be a hit, but I don't know how big. The program() and match() utilities are basically string compares. My application does not log that heavily so I haven't noticed any problems, but yours sounds very intense. I suggest you do some experiments. The macros are used in formatting of the message in the output. I don't think this term is used to refer to the filtering utilities. I hope this helps. Anthony
jawed abbasi <jabbasi@yahoo.com> 17/01/2007 4:37 p.m. >>> anthony
does this matching or filtering costs in terms of CPU and MEM. I mean if I use this will it raise CPU usage drastically. My applications are logging hogs, just to give you idea that just programA generate few 100 MB in an hour. will you be able to point me to some more reading material regarding this match and filter I have got involved lately with syslog-ng, so I am not wel versed with syslog-ng. also i have heard about using macros, Is this match and filter utility a type of Macro? thanks anthony lineham <anthony.lineham@alliedtelesis.co.nz> wrote: Sorry, I just realised your log messagess are coming from a different device so, as someone else has said, use the match() utility instead. Anthony
"anthony lineham" 01/17/07 8:56 AM >>> Hi Jawad,
Have you considered using the program name filter utility? eg: filter f_appA { program(appA); }; I'm using it in my current application and it seems to work very nicely. Regards Anthony
jawed abbasi 16/01/2007 5:21 p.m. >>> Thanks Kalin
But problem is I can't modify the behaviour of the application ( application which I called a process), its almost impossible, because code is not available to me. but because each process or application runs under different name, that might help me if its possible to go with regex filtering. thanks Kalin KOZHUHAROV wrote: [fixed quoting] Hi Jawed, jawed abbasi wrote:
*/Kalin KOZHUHAROV /* wrote:
jawed abbasi wrote:
Hi
I am wondering if there is a way to config syslog- ng so that
* it receives data from multiple processes running on the same source hosts and writting top the same port, without using (facility or severity levels) and still syslog writes a separate logfile for each process?
Yes, it depends.
for example:
HOST A runs all follwing processes which all write to same port 908
proces A process b process c
but different log files are created for each process.
If you can distinguish the output of each process, syslog- ng can also (via regex). A simple way to do that is to include PID in each MSG (a very common approach in non- Windoze world).
not sure what you mean include pid? how to add pid in msg? can you give me an example PID is short for Process Identifier[1]. Generally, all processes in a OS can obtain their PID from the OS by invoking some function (e.g. `echo $$` in bash).
The processes A,a,b above have to be modified to perpend their PID in their log output. For example, an excerpt from my logs: Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29797) Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test - x /usr/sbin/run- crons && /usr/sbin/run- crons started for user root (pid 29942) Note the end of the lines. You can filter things like that based on the "\(pid (\d+)\)" regex if I am not wrong in the syntax. That is it. [1] http://en.wikipedia.org/wiki/Process_identifier All the best, Kalin. -- | A | | D | | J | | P | _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html --------------------------------- Everyone is raving about the all- new Yahoo! Mail beta. _______________________________________________ syslog- ng maillist - syslog- ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog- ng Frequently asked questions at http://www.campin.net/syslog- ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit.
participants (4)
-
anthony lineham
-
Hari Sekhon
-
jawed abbasi
-
Kalin KOZHUHAROV