[syslog-ng] [RFC] value-pairs(), take #3

Matthew Hall mhall at mhcomputing.net
Mon Feb 7 18:43:07 CET 2011


On Mon, Feb 07, 2011 at 08:54:46AM -0800, Evan Rempel wrote:
> I think that you are approaching this as a filter of the keys.
> When doing this the first filter that "matches" the key is the one that
> actually determines if the key is included or not.
> 
> I approach this as a set theory specification. In set theory, it is
> the last item that determines if a key is included.
> 
> Both are equally flexible and non-ambiguous. My preference for this
> type of task is to use set theory. I view this as building a set of
> keys to place into the output template.

I think it was done that way for performance reasons.

If you are trying to process thousands of messages per second, you want 
to use a rulechain, and have the key rules as high as possible up the 
chain as you can manage.

Just like setting up ACL chains in a router.

Matthew.


More information about the syslog-ng mailing list