[syslog-ng] [RFC] value-pairs(), take #3
Matthew Hall
mhall at mhcomputing.net
Mon Feb 7 18:43:07 CET 2011
On Mon, Feb 07, 2011 at 08:54:46AM -0800, Evan Rempel wrote:
> I think that you are approaching this as a filter of the keys.
> When doing this the first filter that "matches" the key is the one that
> actually determines if the key is included or not.
>
> I approach this as a set theory specification. In set theory, it is
> the last item that determines if a key is included.
>
> Both are equally flexible and non-ambiguous. My preference for this
> type of task is to use set theory. I view this as building a set of
> keys to place into the output template.
I think it was done that way for performance reasons.
If you are trying to process thousands of messages per second, you want
to use a rulechain, and have the key rules as high as possible up the
chain as you can manage.
Just like setting up ACL chains in a router.
Matthew.
More information about the syslog-ng
mailing list