Hi everyone I'm currently using logstash as the log collector from a few rsyslog sender clients. I'd like to use rsyslog to receive the remote logs instead of logstash. This means I'm keeping things simple and can possibly also use RELP.
If the rsyslog receiver is doing alot of regex parsing on each message received (i.e. parsing Apache logs into ElasticSearch fields) at what sort of volume of log messages would I start to notice performance problems? Eventually I'm expecting about 5-10GB per day to be received by our centralised rsyslog log server. Should I actually get the rsyslog senders to parse the regex patterns of Apache logs into JSON then forward that JSON to the receiver? So the sender's got the regex overhead? Or will an rsyslog receiver easily be able to parse all the regex patterns with my volume of logging? Having the regex patterns parsed in one place would make for easier management. If necessary we can just throw more vCPUs and memory at the log server without needing to touch the web nodes. Thanks, Ben _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
