[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

Gergely Nagy algernon at balabit.com
Wed May 9 13:19:36 UTC 2018

>>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:

    Delon> However, Would it be performance "greedy"?

It will certainly be slower than if you changed Apache to log to a
format that's easier to transport and work with on the server side. But
the CSV parser is quite performant.

    Delon> I read about the new BSD syslog protocol and IETF syslog protocol, doing
    Delon> comparison on the cost-benifit analysis on "upgrading" to using the
    Delon> protocol.

In this case, it doesn't matter, because we don't use the protocol, at
least, not in my example.

    Delon> I saw that the new IETF syslog protocol cater for a "APP-NAME" variable.
    Delon> Logically speaking, would I able to read in the logs, specify the
    Delon> "APP-NAME", on the server site, filter out this "APP-NAME"?

Yeah, that's a possibility too. But if all you want is store the logs
as-is on the server side, parsing them fully is much more expensive than
what I showed.

You can use a rewrite rule to change the app name, and then you can
filter on that on the server side. But if you use the filtering to route
messages to files, you can just use a templated filename, which would be
both faster, and the configuration would be a lot shorter too. The
downside is that you need to trust the incoming logs to have the correct


More information about the syslog-ng mailing list