Hi Jawad,

You can read about it in the reference manual that comes with the code
distribution (doc/reference/syslog-ng.html.tar.gz). That's where I
learnt about it.

As far as CPU and memory costs go, I think there will be a hit, but I
don't know how big. The program() and match() utilities are basically
string compares. My application does not log that heavily so I haven't
noticed any problems, but yours sounds very intense. I suggest you do
some experiments.

The macros are used in formatting of the message in the output. I don't
think this term is used to refer to the filtering utilities.

I hope this helps.


does this matching or filtering costs in terms of CPU and MEM.
I mean if I use this will it raise CPU usage drastically.
My applications are logging hogs, just to give you idea that just 

programA generate few 100 MB in an hour.

will you be able to point me to some more reading material regarding
this match and filter I have got involved lately with syslog-ng, so I am
not wel versed with syslog-ng.
also i have heard about using macros, Is this match and filter utility
a type of Macro?


Hi Jawad,

Have you considered using the program name filter utility? 
filter f_appA { program(appA); };

 I'm using it in my current application and it seems to work very


Thanks Kalin

But problem is I can't modify the behaviour of the application (
application which I called a process), its almost impossible, because
code is not available to me.
but because each process or application runs under different name,
might help me if its possible to go with regex filtering.


>>> Hi
>>> I am wondering if there is a way to config syslog- ng so that
>>> * it receives data from multiple processes running on the same
>>> source hosts and writting top the same port, without using
>>> (facility or severity levels) and still syslog writes a separate
>>> logfile for each process?
>> Yes, it depends.
>>> for example:
>>> HOST A runs all follwing processes which all write to same port
>>> 908
>>> proces A
>>> process b
>>> process c
>>> but different log files are created for each process.
>> If you can distinguish the output of each process, syslog- ng can
>> also (via regex). A simple way to do that is to include PID in each
>> MSG (a very common approach in non- Windoze world).
> not sure what you mean include pid? how to add pid in msg? can you
> give me an example
PID is short for Process Identifier[1]. Generally, all processes in a
can obtain their PID from the OS by invoking some function (e.g. `echo
$$` in bash).

The processes A,a,b above have to be modified to perpend their PID in
their log output. For example, an excerpt from my logs:

Jan 16 12:30:00 oss fcron[29796]: Job /usr/bin/test - x
/usr/sbin/run- crons && /usr/sbin/run- crons started for user root
Jan 16 12:40:00 oss fcron[29941]: Job /usr/bin/test - x
/usr/sbin/run- crons && /usr/sbin/run- crons started for user root

Note the end of the lines. You can filter things like that based on
"\(pid (\d+)\)" regex if I am not wrong in the syntax.

That is it.

[1] http://en.wikipedia.org/wiki/Process_identifier 

All the best,


