Mailing-List: contact user-help@flume.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@flume.apache.org
Received-SPF: pass (nike.apache.org: domain of sharninder@gmail.com designates
 209.85.212.182 as permitted sender)
MIME-Version: 1.0
In-Reply-To: 
 <CAACPw8AOeS0a8G=ME6n3eoqUC9mnexcW01Xg1cVZot0c6_-eQA@mail.gmail.com>
References: 
 <CAACPw8C5WGrk4JHaRvY2cOEmT0enA_n0H6a8p4LegDdrfSs-_A@mail.gmail.com>
	<1413434829172.0ad74266@Nodemailer>
	<CAJmzdX=SjzGaTzD-_de33SNL1sU52aSj7vce0s4U4NwZG7jHrA@mail.gmail.com>
	<CAACPw8AOeS0a8G=ME6n3eoqUC9mnexcW01Xg1cVZot0c6_-eQA@mail.gmail.com>
Date: Thu, 16 Oct 2014 12:12:18 +0530
Message-ID: 
 <CAACPw8Ab0SJ_-YyoKz3cd85UeNjU0X9s6W-YCLrhf6=z2JnhkQ@mail.gmail.com>
Subject: Re: Flume Syslog source
From: Sharninder <sharninder@gmail.com>
To: "user@flume.apache.org" <user@flume.apache.org>
Content-Type: multipart/alternative; boundary=f46d043d673fbdeaba0505848c37

--f46d043d673fbdeaba0505848c37
Content-Type: text/plain; charset=ISO-8859-1

I just looked at the existing syslogtcp source and it seems it does take
pains to parse the hostname from the message and I think that is the best
bet for me. Ofcourse, it might fail for a few devices, but I'll just have
to think of something else for those.

--
Sharninder


On Thu, Oct 16, 2014 at 10:40 AM, Sharninder <sharninder@gmail.com> wrote:

> Yes Jeff. That's a possiblity but I'm not sure (actually pretty sure) that
> there would be a some random device which will not send their logs in the
> proper format and my regex will break. This is the way I'll implement it if
> I can't find anything better.
>
> Thanks,
> Sharninder
>
>
>
> On Thu, Oct 16, 2014 at 10:22 AM, Jeff Lord <jlord@cloudera.com> wrote:
>
>> You can also use a regex interceptor to extract hostname from the message
>> (assuming it's there) and put that in an event header. From there you can
>> route and create partitions with the header.
>>
>>
>> On Wednesday, October 15, 2014, Hari Shreedharan <
>> hshreedharan@cloudera.com> wrote:
>>
>>> The Multiport syslog source can add the port number on which the data
>>> was received to the event headers. You can use with a multiplexing channel
>>> selector to separate this to different channels.
>>>
>>> Thanks,
>>> Hari
>>>
>>>
>>> On Wed, Oct 15, 2014 at 9:45 PM, Sharninder <sharninder@gmail.com>
>>> wrote:
>>>
>>>> Hi Guys,
>>>>
>>>> I'm trying to implement a system to archive syslogs using flume. I've
>>>> played around with it a bit but haven't really been able to figure out a
>>>> way to segregate logs according to the host they're coming from? Is there a
>>>> way for me to add the hostname to the event header somehow? I can then use
>>>> either an interceptor to read the header or even a custom sink to deal with
>>>> events based on the hostname.
>>>>
>>>> --
>>>> Sharninder
>>>>
>>>>
>>>
>

--f46d043d673fbdeaba0505848c37
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>I just looked at the existing syslogtcp source and it=
 seems it does take pains to parse the hostname from the message and I thin=
k that is the best bet for me. Ofcourse, it might fail for a few devices, b=
ut I&#39;ll just have to think of something else for those.<br><br></div>--=
<br>Sharninder<br><br></div><div class=3D"gmail_extra"><br><div class=3D"gm=
ail_quote">On Thu, Oct 16, 2014 at 10:40 AM, Sharninder <span dir=3D"ltr">&=
lt;<a href=3D"mailto:sharninder@gmail.com" target=3D"_blank">sharninder@gma=
il.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"=
ltr"><div>Yes Jeff. That&#39;s a possiblity but I&#39;m not sure (actually =
pretty sure) that there would be a some random device which will not send t=
heir logs in the proper format and my regex will break. This is the way I&#=
39;ll implement it if I can&#39;t find anything better.<br><br></div>Thanks=
,<br>Sharninder<div><div class=3D"h5"><br>=A0<br><div><div class=3D"gmail_e=
xtra"><br><div class=3D"gmail_quote">On Thu, Oct 16, 2014 at 10:22 AM, Jeff=
 Lord <span dir=3D"ltr">&lt;<a href=3D"mailto:jlord@cloudera.com" target=3D=
"_blank">jlord@cloudera.com</a>&gt;</span> wrote:<br><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex">You can also use a regex interceptor to extract hostname from the =
message (assuming it&#39;s there) and put that in an event header. From the=
re you can route and create partitions with the header.<div><div><span></sp=
an><br><br>On Wednesday, October 15, 2014, Hari Shreedharan &lt;<a href=3D"=
mailto:hshreedharan@cloudera.com" target=3D"_blank">hshreedharan@cloudera.c=
om</a>&gt; wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span><div>The Multiport syslog source can add the port number on which the=
 data was received to the event headers. You can use with a multiplexing ch=
annel selector to separate this to different channels.</div></span><div>
<br>Thanks,<br>Hari</div>
<br><br><div class=3D"gmail_quote"><p>On Wed, Oct 15, 2014 at 9:45 PM, Shar=
ninder <span dir=3D"ltr">&lt;<a>sharninder@gmail.com</a>&gt;</span> wrote:<=
br></p><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-=
left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">
<div>Hi Guys,<br><br>I&#39;m trying to implement a system to archive syslog=
s using flume. I&#39;ve played around with it a bit but haven&#39;t really =
been able to figure out a way to segregate logs according to the host they&=
#39;re coming from? Is there a way for me to add the hostname to the event =
header somehow? I can then use either an interceptor to read the header or =
even a custom sink to deal with events based on the hostname.<br><br>--<br>=
</div>Sharninder<br><br></div></blockquote></div><br></blockquote>
</div></div></blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>

--f46d043d673fbdeaba0505848c37--