[syslog-ng] Simple Doubt
Tom Le
dottom at gmail.com
Wed Jun 6 18:18:02 CEST 2007
>
> > On 6/5/07, Alexander Clouter <ac56 at soas.ac.uk> wrote:
> > >
> > >If you are logging to a file and having Perl munch on a log file you
> can
> > >remove the perl script and pipe from the whole works. syslog-ng can be
> > >configured to read in directly a log file; it effectively does a 'tail
> -f'
> > >on the file.
> >
> > Except for cases where you need the Perl script to post-process the log
> file
> > to produce a normalized or custom syslog message format.
> >
> Agreed, however a better design would be:
>
> <Log> ---> <Perl> ---> <Log2>
>
> <Log2> --[using 'tail' function]--> syslog-ng -> syslog-ng
>
> These would be disconnected and you would not run into any nasty problems.
> Another advantage being that if the perl code soaks up the CPU cycles and
> the
> logging is not urgent (needed at the final destination ASAP) you could
> nice
> down the priority of the process to prevent it stomping in on syslog-ng's
> performance.
But that scenario only supports logs that are "syslog friendly". If you
have to do any kind of normalization or post-processing or dealing with
multi-line records in a log file, you have to use a post-processing process
such as Perl. Not all logs have human-friendly readable text and the
post-processing Perl script can translate the log record into something more
useful.
The CPU cycles required by Perl parsing is minimal and is a common myth that
Perl is a CPU hog. I have Perl scripts processing billions of log events
per week.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070606/8d63ff3c/attachment.html
More information about the syslog-ng
mailing list