[syslog-ng] [RFC]: Pattern matching & corellation ideas

Gergely Nagy algernon at balabit.hu
Wed Sep 5 14:47:56 CEST 2012


Jakub Jankowski <shasta at toxcorp.com> writes:

>> It does have downsides, though, namely that you need to regenerate &
>> recompile the module and restart syslog-ng each time you modify the
>> source, which is less convenient than just restarting syslog-ng
>> itself. One also needs to learn a 'new' language to write pattern
>> matchers in (but one has to learn patterndb too, anyway, so this isn't
>> that big a disadvantage, especially since a more language-like thing is,
>> in my opinion, easier to learn :).
>
> For me, this is a huge disadvantage, because that'd introduce the need to 
> have compiler handy, or to distribute binary instead of a plaintext 
> config file.

Yep, that sadly is there, which is why this will be an option, along
with patterndb.

On the other hand, it would also be possible to skip the compile step,
and write a module that would just run the thing. That'd have the
disadvantage (compared to the compiled version) that it'd be somewhat
slower and a little bit more complex to write, but would allow you to
only distribute plain text config files.

Since there's an intermediate syntax tree anyway (to separate the parser
and the code generator), it's not terribly hard to write an interpreter
on top of that, that doesn't generate the C code, but runs it instead.

I'll keep that in mind when I proceed, and will try to write the
interpreter along with the generator.

Thanks for the suggestion!

-- 
|8]



More information about the syslog-ng mailing list