On Wed, 25 Mar 2015, Risto Vaarandi wrote:
2015-03-25 23:51 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
hi Leonard,
there is no specific documentation on running multiple sec processes,
since starting multiple instances depends heavily on the surrounding
environment. For example, if you have installed sec from EPEL RPM package (
http://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/sec.html) and wish
to start sec from RHEL init script, you would have to set up multiple
instances from /etc/sysconfig/sec (this file should contain a relevant
example).
However, if you are starting sec instances from syslog-ng, you need to
decide how to distribute messages between different instances, and write
relevant filters, destinations and log path definitions for syslog-ng.
Suppose you are receiving all your messages from remote nodes in BSD syslog
format via port 514/udp. Then your source definition might look like:
source remotemsg { udp(); };
Suppose that messages with mail-facility and kern-facility appear very
frequently among the syslog messages, and you would like to handle them
separately with two sec instances, and for the rest of the messages, you
would like to have a third instance. Lets also assume that your sec rules
for mail-facility are stored in /etc/sec/mail/*.sec, for kern-facility in
/etc/sec/kern/*.sec, and for rest of the messages in /etc/sec/other/*.sec.
For this setup, you could use the following syslog-ng configuration file
statements:
# filters for separating messages with mail, kern, and other facilities
filter mail { facility(mail); };
filter kern { facility(kern); };
filter other { not facility(mail) and not facility(kern); };
# destination definitions for three sec instances that process mail, kern,
and other facilities
destination sec-mail { program("/usr/bin/sec --conf=/etc/sec/mail/*.sec
--notail --input=-"); };
destination sec-kern { program("/usr/bin/sec --conf=/etc/sec/kern/*.sec
--notail --input=-"); };
destination sec-other { program("/usr/bin/sec --conf=/etc/sec/other/*.sec
--notail --input=-"); };
# log statements for activating sec instances
log { source(remotemsg); filter(mail); destination(sec-mail); };
log { source(remotemsg); filter(kern); destination(sec-kern); };
log { source(remotemsg); filter(other); destination(sec-other); };
...also, if the facility-based load balancing is suboptimal for your
environment, you can filter and divide messages in many different criteria
like the syslog tag (program name), message text, source IP address/net,
and a number of other properties. Fortunately, syslog-ng has a rich
filtering language which should allow for implementing virtually any
message filtering scheme.
I'm doing a similar thing with rsyslog, and one thing that I'm doing to keep
performance high is that I'm having rsyslog write to sec using a custom format
for each instance that includes only the information that sec needs. That way
it's not having to spend any more time parsing or matching data than it needs
to.
David Lang
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
