[syslog-ng] Support of welf format

Martin Holste mcholste at gmail.com
Tue Dec 7 22:53:09 CET 2010


If the order of the WELF elements stays the same, then you can use
csv-parser with a space delimiter or db-parser to grab the terms.
Otherwise, we were just discussing possibilities yesterday on this
list under the subject "advice/assistance with parsing attempt
requested" in which a possible feedback loop could be used with
db-parser to break apart the WELF elements.  In addition to a log
sample, can you tell us what exactly you want to do depending on the
WELF element values?

On Tue, Dec 7, 2010 at 3:18 PM, Matthew Hall <mhall at mhcomputing.net> wrote:
> On Tue, Dec 07, 2010 at 11:13:08AM +0100, Yann I. wrote:
>> Hello,
>>
>> I would like to know whether syslog-ng can receive and manage logs which
>> have the welf format ?
>>
>> Regards,
>>
>> Yann I.
>
> Hi Yann,
>
> It depends on what you are trying to do with it. In principle it's
> supported and you can decode it with a patterndb if the fields in your
> WELF are predictable. If the fields are not that predictable it's going
> to be more difficult.
>
> I am using an extended WELF style format as a kind of IPC interface
> between downstream syslog-ngs that filter and break apart messages, and
> upstream ones that do database warehousing and anomaly detection.
>
> Processing a whole ton of large WELF messages at a high rate of speed is
> very tricky in Perl, because regexes are too slow and there is no good
> equivalent to strtok or other low level C style tokenization techniques.
>
> Can you supply sample messages so we could give you better advice?
>
> Matthew.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list