Sweet, plan on playing with it tomorrow.
--
Regards,
Janmejay
PS: Please blame the typos in this mail on my phone's uncivilized soft
keyboard sporting it's not-so-smart-assist technology.
On Sep 30, 2015 12:16 AM, "Rainer Gerhards" <rgerha...@hq.adiscon.com>
wrote:
> It's a long time since I implemented what currently is there. It should be
> relatively solid with probably some minor glitches. It provides the code
> functionality as far as I remember.
>
> Rainer
>
> Sent from phone, thus brief.
> Am 29.09.2015 20:07 schrieb "singh.janmejay" <singh.janme...@gmail.com>:
>
> > Rainer/David,
> >
> > Exactly how much of lookup_table functionality is implemented?
> >
> > What can I not do with it? (you mentioned something about single table
> > in this thread, can you please elaborate?).
> >
> > On Tue, Mar 31, 2015 at 7:23 PM, Rainer Gerhards
> > <rgerha...@hq.adiscon.com> wrote:
> > > 2015-03-31 15:46 GMT+02:00 <christopher.ra...@web.de>:
> > >> Hi,
> > >> Do you have some experience how large Lookup-tables can be until there
> > are "negative" effects?
> > >> 2400 entries seems to work fine :)
> > >
> > > IIRC the current partial implementation is O(log n), so no problem.
> > >
> > >>
> > >> And another question, do I loose events, when doing a kill -HUP (for
> > update of lookup-table)?
> > >> (e.g. client threads are hard "terminated"...)
> > >
> > > *should* not cause any issues.
> > >
> > > Rainer
> > >>
> > >> best regards
> > >> Chris
> > >>
> > >>
> > >>
> > >> Gesendet: Mittwoch, 25. März 2015 um 19:28 Uhr
> > >> Von: "David Lang" <da...@lang.hm>
> > >> An: rsyslog-users <rsyslog@lists.adiscon.com>
> > >> Betreff: Re: [rsyslog] Separation of actions based on log source -
> with
> > good performance
> > >> On Wed, 25 Mar 2015, christopher.ra...@web.de wrote: > Hi, > I was
> > doing some experiments with the lookup-table. > Looks really nice and the
> > performance is promising. > (Unfortunately the evaluation of "nomatch"
> > attribute is currently not implemented...) > > Never the less: > My plan
> > is, to do diffent actions based on the type of host, mapped in the
> > lookup-list. > For testing purposes, I use alway omfile. > >
> Unfortunately
> > it does not work, to change the ruleset based on the variable. > Is there
> > any other option or is there any mistake? for omfile you can use the
> > dynafile approach to use the return variable, for remote things you would
> > need to do an if then else approach for performance reasons many of the
> > fields in rsyslog do not accept variables. This allows them to be
> > computed/parsed once at startup rather than having to be evaluated for
> each
> > log message. It's a bit of a hassle when you do want to do something
> > dynamic, but even in cases where you have some dynamic things, you tend
> to
> > have other static things that benefit from the speedup. David Lang > ***
> > syslog.conf *** > lookup_table(name="lookuptable"
> > file="/etc/rsyslog.lookup") > set $!dst = lookup("lookuptable",
> > $fromhost-ip); > ruleset(name="typea"){ > action(type="omfile"
> > file="/var/log/file_typea.log") > } > ruleset(name="typea"){ >
> > action(type="omfile" file="/var/log/file_typeb.log") > } > > # Change set
> > default ruleset, based on sourceip > $DefaultRuleset $!dst > >
> > module(load="imtcp" KeepAlive="on" KeepAlive.Probes="1"
> > KeepAlive.Interval="2" KeepAlive.Time="20") > input(type="imtcp"
> > port="7714") > > *** lookup-table *** > { "version":1, "nomatch":"unk",
> > "type":"string", > "table":[ {"index":"10.3.5.4", "value":"typea" }, >
> > {"index":"10.2.2.1", "value":"typea" }, > {"index":"10.0.2.2",
> > "value":"typeb" }, > {"index":"10.2.2.3", "value":"typeb" } > ] > } > > >
> > best regards > Chris > > > > Gesendet: Dienstag, 24. März 2015 um
> 17:14
> > Uhr > Von: christopher.ra...@web.de > An: rsyslog@lists.adiscon.com >
> > Betreff: Re: [rsyslog] Separation of actions based on log source - with
> > good performance > Hi David, > > Thanks sounds great, I will try this in
> > the next days :) > > Chris > > > > Gesendet: Montag, 23. März 2015 um
> > 17:44 Uhr > Von: "David Lang" > An: rsyslog-users > Betreff: Re:
> [rsyslog]
> > Separation of actions based on log source - with good performance > This
> is
> > the sort of thing that the table lookup functionality was designed for. >
> > It wasn't fully implemented to the design (funding fell through), but I
> > think it works for a single table. > you could use it to do the mapping
> > from your many hosts to a couple of values and then have your test be
> based
> > on the resulting value. > > David Lang On Mon, 23 Mar 2015 > [...] >
> > >>
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> >
> >
> > --
> > Regards,
> > Janmejay
> > http://codehunk.wordpress.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
