[syslog-ng] conf file structure best practice for patterns

Scot Needy scotrn at gmail.com
Fri Oct 7 19:02:24 UTC 2016

I have some code that can pull subnet info from IPplan or Solarwinds to generate 3 conf files. 

	destination d_192_168_1_0 { file(/opt/syslog-ng/logs/192_168_1_0/$YEAR$MONTH$DAY-$HOUR-$HOST.log);};

	filter f_192_168_1_0 { netmask(;};

	log { source(s_net); filter(f_192_168_1_0); destination(d_192_168_1_0);};

Many but not all of these subnets a specific to an application like “Cisco ASA, VMware or server"

This works well for flat file archiving but when using a pattern database would it be best to have one single large patterndb or define unique ones for each area when splitting that data stream to ES ? 

	log { source(s_net); parser(pattern_db); destination(d_es);};

	log { source(s_net); filter(f_192_168_1_0); parser(ESXpattern_db) ;destination(d_es);};
	log { source(s_net); filter(f_192_168_2_0); parser(ASApattern_db) ;destination(does);};

More information about the syslog-ng mailing list