[syslog-ng] conf file structure best practice for patterns
Scot Needy
scotrn at gmail.com
Fri Oct 7 19:02:24 UTC 2016
I have some code that can pull subnet info from IPplan or Solarwinds to generate 3 conf files.
dynamic-dest.conf
destination d_192_168_1_0 { file(/opt/syslog-ng/logs/192_168_1_0/$YEAR$MONTH$DAY-$HOUR-$HOST.log);};
dynamic-filter.conf
filter f_192_168_1_0 { netmask(192.168.1.0/24);};
dynamic-logs.conf
log { source(s_net); filter(f_192_168_1_0); destination(d_192_168_1_0);};
Many but not all of these subnets a specific to an application like “Cisco ASA, VMware or server"
This works well for flat file archiving but when using a pattern database would it be best to have one single large patterndb or define unique ones for each area when splitting that data stream to ES ?
log { source(s_net); parser(pattern_db); destination(d_es);};
OR
log { source(s_net); filter(f_192_168_1_0); parser(ESXpattern_db) ;destination(d_es);};
log { source(s_net); filter(f_192_168_2_0); parser(ASApattern_db) ;destination(does);};
…
More information about the syslog-ng
mailing list