[syslog-ng]Filter enhancement

[Gregor Binder]

Jay Guerette on Thu, Dec 06, 2001 at 01:22:58AM -0500:

Hi,

> > I don't see much difference vs. setting up a FIFO source and a program
> > destination. To avoid overhead, you can direct input from the FIFO
> > source directly to its destination. Have your external filter send out-
> > put to the pipe and there you go.
> 
> I don't understand what you're suggeting here. I have no flexibility for
> source;it's good old UDP syslog or nothing. Are you saying take the UDP in, send
> it toa program, which writes it to a FIFO, that syslog-ng reads, and writes to a
> log? I'm confused...

okay, I admit I should have allocated more than one paragraph for the
explanation :)

You would need two source definitions, one for "regular" message trans-
port to syslog-ng (would probably contain internal, /dev/log, etc. and
your network port(s)), and the other one for messages that are fed back
to syslog-ng (which IMO should be a FIFO, because that gives you more
flexibility when choosing a language to implement your external filter
programs).

The log statement for the first source would then probably be so that
all syslog-ng filters ("internal" filters in that case) would be applied
to the log message, while the log statement for the second source
definition could possibly be without any filters, and directly going to
a specific log.

What I was trying to say was: Since you can specify multiple sources,
and also which filters get applied to what source, you can get the
functionality you ask for without IMHO having too much overhead vs. the
solution you suggest. You'd obviously have to optimize the configuration
suitably to your environment.

I hope I made myself clear this time .. :)

-- 
 ____ ____ 
/  _/| -  >  Gregor Binder <gb@(rootnexus.net|sysfive.com)>
| / || _\ \
\__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B