[syslog-ng] grouping of sources
Balazs Scheidler
bazsi at balabit.hu
Mon Feb 16 11:38:47 CET 2009
On Sun, 2009-02-15 at 14:40 -0500, Joe Shaw wrote:
> Hi,
>
> On Sun, Feb 15, 2009 at 4:31 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> > I'll see what I can do about this. What about the following idea:
> > * make it possible to mark sources with tags
> > * create a filter that matches tags
> >
> > Then you could do something like:
> >
> > source s_udp { udp(); tags(net); };
> > source s_tcp { tcp(); tags(net); };
> >
> > filter f_net_messages { tags(net); };
> >
> > log { flags(catch-all); filter(f_net_messages); destination(...); };
> >
> > I'd have to work on the syntax a bit more, but I hope the general idea
> > is visible.
>
> Ah, interesting. Yes, I think this would work just fine.
I gave some more thought to that, and I think I'd assign these options
to the log message, not the source group.
This would make it possible to filter based on this value and also to
change the tag assignments using a rewrite rule. I'd also assign the
initial tags to the log source driver, not the source group. e.g. it
would be something like this instead:
source s_udp { udp(tags(net)); };
source s_tcp { udp(tags(net)); };
filter f_net_messages { tags(net); };
log { flags(catch-all); filter(f_net_messages); destination(...); };
On the internal side, I think I could make this at least as fast as
comparing facility/priority values by using a dynamically allocated
bitmask for the implementation, though that would limit the maximum
number of different tags to 32.
Hmm.. the same could be used for db-parser() classification. This idea
seems to be more and more appealing to me.
--
Bazsi
More information about the syslog-ng
mailing list