1
answer

Currently process and transform the windows event/iis logs on the client, however as I have more servers I am wondering about routing everything to a central point using the binary format and then processing them into the relevant tables in to a mysql db. I am struggling with at which stage this filtering and tansforming is done and what the route should look like. Do I use the patern filter in a process stage and then use and if statement in the route based on the patern id?

Clients

im_msvistalog => om_tcp (binary)

w3c extension(im_file) => om_tcp (binary)

Server

im_tcp => ?????????? => ?????? (om_dbi but based on source message type evntlog table |syslog table |iis log table|apache log table|security log table)

Can you point me in the right direction?

AskedOctober 21, 2014 - 11:41am

Answer (1)

You probably need to create an om_dbi instance for each table and filter the data there, something like this:

im_tcp => om_dbi1, om_dbi2, om_dbi3, ....

And your dbi instances would be:

<Module om_dbi1>

  Module om_dbi

  ...

  Exec if $SourceName != 'mysource' drop();

</Module>

You can set your custom field on the client side to make filtering easier.

 

AnsweredOctober 27, 2014 - 11:50am