[syslog-ng] Better performance between udp, unix-stream or pipe ?
Martin Holste
mcholste at gmail.com
Tue Nov 16 19:14:53 CET 2010
Does this work?
source s_udp_not_parsed { udp(port(514) flags(no-parse)); };
source s_udp { udp(port(514)); };
log {
source(s_udp);
parser(db-parser());
destination(d_parsed);
};
log {
source(s_udp_not_parsed);
destination(d_not_parsed);
};
Otherwise, try reassembling a no-parse like message with a different
output template.
On Tue, Nov 16, 2010 at 11:13 AM, Yann I. <yann.frm at gmail.com> wrote:
> Well I'm not sure because of the flag I used for the UDP source which is set
> to "no-parse".
>
> Here is my problem. From the UDP source, I may receive logs which are not
> "syslog compliance". So I'm using the flag 'no-parse' then I rewrite the
> message. After that rewrite, I forward the new message to the same syslog-ng
> server.
> Then... I can apply filter, parser, etc on that new message which is now
> "syslog compliance" :-)
>
> So, I think I can't use log statement. I need to use that mecanism...
> There might be another solution but this one seems to be a good solution.
>
>
> 2010/11/16 Martin Holste <mcholste at gmail.com>
>>
>> Ok, then this should be accomplished with a standard log statement
>> like you've already begun to write. What do your destinations look
>> like?
>>
>> On Tue, Nov 16, 2010 at 10:58 AM, Yann I. <yann.frm at gmail.com> wrote:
>> > In fact, this is the same process... There is only one process.
>> >
>> >
>> > 2010/11/16 Martin Holste <mcholste at gmail.com>
>> >>
>> >> Why do you need separate syslog-ng processes running?
>> >>
>> >> On Tue, Nov 16, 2010 at 10:49 AM, Yann I. <yann.frm at gmail.com> wrote:
>> >> > Hi !
>> >> >
>> >> > I have a question about the use of udp, unix-stream or pipe. I would
>> >> > like to
>> >> > forward a syslog message to the same syslog server like this :
>> >> >
>> >> > | log {
>> >> > | source (s_r_udp); (<-- listen on UDP/514)
>> >> > |
>> >> > | filter (....);
>> >> > | filter (....);
>> >> > | parser (...);
>> >> > |
>> >> > | destination (d_local_syslog); (<-- send the message to a local
>> >> > syslog
>> >> > by using unix-stream, udp or pipe mecanism)
>> >> > | };
>> >> >
>> >> > (...)
>> >> >
>> >> > | log {
>> >> > | source (s_local_syslog); (<--- here I receive the messages
>> >> > sent
>> >> > by
>> >> > the "d_syslog_loop")
>> >> > |
>> >> > | filter (...);
>> >> > | filter (...);
>> >> > | parser (...);
>> >> > |
>> >> > | destination (d_remote_syslog);
>> >> >
>> >> > I'm looking for the better way to send syslog message to the same
>> >> > syslog
>> >> > server : which mecanism provides the better performances : pipe, udp
>> >> > (by
>> >> > using network) or unix-stream ?
>> >> > Maybe the "pipe" is the better solution ?...
>> >> >
>> >> > I'm using the syslog-ng OSE 3.1.2 on CentOS.
>> >> >
>> >> > Regards,
>> >> >
>> >> > Yann I.
>> >> >
>> >> >
>> >> >
>> >> > ______________________________________________________________________________
>> >> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> >> > Documentation:
>> >> > http://www.balabit.com/support/documentation/?product=syslog-ng
>> >> > FAQ: http://www.campin.net/syslog-ng/faq.html
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >> ______________________________________________________________________________
>> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> >> Documentation:
>> >> http://www.balabit.com/support/documentation/?product=syslog-ng
>> >> FAQ: http://www.campin.net/syslog-ng/faq.html
>> >>
>> >
>> >
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>
>
More information about the syslog-ng
mailing list