[syslog-ng] decoding messages from sockd (SOCKS proxy)
Matthew Hall
mhall at mhcomputing.net
Mon Oct 18 23:41:47 CEST 2010
On Fri, Oct 15, 2010 at 10:08:16PM +0200, Balazs Scheidler wrote:
> > Is it possible to do PCRE replacement using backreferences? Or is there
> > another way to get this to work?
>
> My best bet to use the csv-parser() before doing patterndb matching. you
> can specify the delimiter to be ':', the first column is the hostname +
> port, the 2nd is the "error message". Then to split the first column,
> you could perhaps use PCRE to cut out the last '.' terminated portion.
Good proposal.
> Backrefs are however quite slow, especially if you want to use backrefs
> right in the pattern (and not in the replacement).
I receive about 300 messages per second from this source over a typical
almost-24-hour period of data. So I guess I can start with a backref and
change to something more complicated if it doesn't work well. Unless 300
MPS is already too much?
> Also note that you can have a match() filter store its matches using
> flags(store-matches), they'd be stored as $1, $2, etc, or if you use
> named groups, then $groupname will work as name-value pairs.
Helpful to know.
> Bazsi
Matthew.
More information about the syslog-ng
mailing list