2016-10-06 10:42 GMT+02:00 [email protected] <[email protected]>:

>
>
> El 04/10/16 a las 20:31, Joe Blow escribió:
>
>> <rant>
>>
>> Regex should be avoided like the plague, at all costs.  If you know your
>> logs well enough to write a regex for them, why wouldn't you write a
>> liblognorm rule instead?
>>
> Totally agree...(actually, liblognorm is giving me segfaults :P)


I'll try to check next week when my current task is done.

>
>
> I use liblognorm + rsyslog to forward to ES with very little overhead.  If
>> you like performance and scalability, use liblognorm.
>>
> Ok
>
>> If you got a free
>> Logstash T-shirt from a conference you went to, use Logstash.  At the end
>> of the day rsyslog has a great set of output plugins (mongo, ES, kafka,
>> etc.) so if you get your output into JSON, you're laughing.  Liblognorm
>> does this faster/better/stronger than grok.
>>
> Almost convinced...I'll love to hear more voices anyway
>

Liblognorm is based on work from my MSc Thesis. The thesis paper is
currently being processed for upload, I expect it to be available next
week. If you'd like to dig down to the details and an explanation why it is
faster, the thesis will have it in great detail. I can post a link once it
is online.

HTH
Rainer

> Thanks a lot
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to