[syslog-ng] [patterndb] classification
Balazs Scheidler
bazsi at balabit.hu
Mon Sep 6 10:26:02 CEST 2010
On Sat, 2010-09-04 at 10:57 -0700, Anton Chuvakin wrote:
> >> In CEE, OAS triad will likely be used as "default tags" for all messages.
> >
> > Is it a recursive hierarchy? e.g. is it possible to organize bunches to
> > even higher level bunches?
>
> Actually, we have not thought about it yet :-(
>
> > Also what I see unsolved is how the user can easily sort messages into
> > files/tables by bunch.
>
> This probably has to be done inside the log analysis tool that is
> aware of tags and their bunches.
>
> > Although if I were to define multi-value name-value pairs the one above
> > could expand to multiple file writes. This way writing by tags or by
> > bunches should be very simple.
>
> Multi-value N=V are evil. They kill log parsers and RDBMS :-) We did
> think a lot about this conundrum of src_IP="10.10.1.2,10.10.1.3" and
> might well recommend that it never happens. If we have to deaggregate
> logs (thus exploding the volume) the whole thing would be a mess...
Right, understood, agreed.
--
Bazsi
More information about the syslog-ng
mailing list