2015-03-31 15:46 GMT+02:00 <christopher.ra...@web.de>:
> Hi,
> Do you have some experience how large Lookup-tables can be until there are
> "negative" effects?
> 2400 entries seems to work fine :)
IIRC the current partial implementation is O(log n), so no problem.
>
> And another question, do I loose events, when doing a kill -HUP (for update
> of lookup-table)?
> (e.g. client threads are hard "terminated"...)
*should* not cause any issues.
Rainer
>
> best regards
> Chris
>
>
>
> Gesendet: Mittwoch, 25. März 2015 um 19:28 Uhr
> Von: "David Lang" <da...@lang.hm>
> An: rsyslog-users <rsyslog@lists.adiscon.com>
> Betreff: Re: [rsyslog] Separation of actions based on log source - with good
> performance
> On Wed, 25 Mar 2015, christopher.ra...@web.de wrote: > Hi, > I was doing some
> experiments with the lookup-table. > Looks really nice and the performance is
> promising. > (Unfortunately the evaluation of "nomatch" attribute is
> currently not implemented...) > > Never the less: > My plan is, to do diffent
> actions based on the type of host, mapped in the lookup-list. > For testing
> purposes, I use alway omfile. > > Unfortunately it does not work, to change
> the ruleset based on the variable. > Is there any other option or is there
> any mistake? for omfile you can use the dynafile approach to use the return
> variable, for remote things you would need to do an if then else approach for
> performance reasons many of the fields in rsyslog do not accept variables.
> This allows them to be computed/parsed once at startup rather than having to
> be evaluated for each log message. It's a bit of a hassle when you do want to
> do something dynamic, but even in cases where you have some dynamic things,
> you tend to have other static things that benefit from the speedup. David
> Lang > *** syslog.conf *** > lookup_table(name="lookuptable"
> file="/etc/rsyslog.lookup") > set $!dst = lookup("lookuptable",
> $fromhost-ip); > ruleset(name="typea"){ > action(type="omfile"
> file="/var/log/file_typea.log") > } > ruleset(name="typea"){ >
> action(type="omfile" file="/var/log/file_typeb.log") > } > > # Change set
> default ruleset, based on sourceip > $DefaultRuleset $!dst > >
> module(load="imtcp" KeepAlive="on" KeepAlive.Probes="1"
> KeepAlive.Interval="2" KeepAlive.Time="20") > input(type="imtcp" port="7714")
> > > *** lookup-table *** > { "version":1, "nomatch":"unk", "type":"string", >
> "table":[ {"index":"10.3.5.4", "value":"typea" }, > {"index":"10.2.2.1",
> "value":"typea" }, > {"index":"10.0.2.2", "value":"typeb" }, >
> {"index":"10.2.2.3", "value":"typeb" } > ] > } > > > best regards > Chris >
> > > > Gesendet: Dienstag, 24. März 2015 um 17:14 Uhr > Von:
> christopher.ra...@web.de > An: rsyslog@lists.adiscon.com > Betreff: Re:
> [rsyslog] Separation of actions based on log source - with good performance >
> Hi David, > > Thanks sounds great, I will try this in the next days :) > >
> Chris > > > > Gesendet: Montag, 23. März 2015 um 17:44 Uhr > Von: "David
> Lang" > An: rsyslog-users > Betreff: Re: [rsyslog] Separation of actions
> based on log source - with good performance > This is the sort of thing that
> the table lookup functionality was designed for. > It wasn't fully
> implemented to the design (funding fell through), but I think it works for a
> single table. > you could use it to do the mapping from your many hosts to a
> couple of values and then have your test be based on the resulting value. > >
> David Lang On Mon, 23 Mar 2015 > [...] >
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
