[syslog-ng] grouping-by parser questions
Fekete, Róbert
robert.fekete at balabit.com
Mon Jun 6 11:16:38 CEST 2016
Hi Bazsi,
I've started to document the grouping-by parser, and have a few
questions/comments about it:
* It seems that some of the grouping-by options are the same (or very
similar) to the correlation-related attributes of the pattern database, but
have different names. Could we name them consistently where they are the
same? (I haven't checked the correlation module from Rust, but maybe we
could align that as well.)
For example:
grouping-by | patterndb
scope | context-scope
timeout | context-timeout
aggregate | message or action
* In the original commit message, you mention three possible values for
the 'scope' option, whereas the context-scope in the patterndb has four
(program). Are these deliberately different, or they use the same code?
* grouping-by doesn't look to me as an actual parser. From the existing
objects, it resembles a filter more (IMHO), but I'd rather categorize it as
something else that transforms/processes the incoming data, and should be
therefore in a separate configuration object (along with the geoip parser).
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160606/fedf6203/attachment.htm
More information about the syslog-ng
mailing list