[syslog-ng] need help with a match filter

chris packham chris.packham at alliedtelesis.co.nz
Mon Jan 25 23:24:13 CET 2010 

Someone else on the list may correct me but I think you'll find that the destination is evaluated at the time syslog is started (or restarted) not when a log message is processed. I'm pretty sure there was a discussion on the list about something similar a while back (although I couldn't find it in my emails)

So short answer is that you can't use a file desination. You may however get some mileage out of writing a custom program destination and do the last bit of processing in your program.

>>> Rory Toma <rory at ooma.com> 01/25/10 5:12 PM >>>
Looking more at the docs, it looks likes I also need a value for 3.0 
syntax. So I am trying something like below. However, the value of 
$foo_hostdir is not being set correctly. It is being set to 
"foo_hostdir". How do I get the value to be the value of the match?

filter foo_filter {
     match('host("foo_[0-9A-F]\{9\}$")'
     value("foo_hostdir")
     type("string")
     );
};

# foo destinations
destination foo_dest {
     
file("/logs/$foo_hostdir/$R_YEAR$R_MONTH$R_DAY/$HOST-$R_YEAR$R_MONTH$R_DAY.log"
     owner(root) group(root) perm(0444)
     template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") 
template_escape(no));
};

On 1/25/10 12:02 PM, Rory Toma wrote:
> I'm trying to dynamically create lognames and directories form the host
> name that is sent. My hosts' names are of the form
>
> foo_<mac address>
>
> I want to create a destination that would be
>
> /logs/foo_<first 9 digits of mac address>//foo_.log
>
> Here is what I tried so far, and it does not work, but is close. Can
> someone suggest a config that might work? Thx.
>
> I can do this individually, but having 100+ filters and 100+ log lines
> in the config really slows things down.
>
> #filter for foo
> filter foo_filter { match('host("foo_[0-9A-F]\{9\}$")'
> flags("store-matches")); };
>
> # foo destinations
> destination foo_dest {
>
> file("/logs/$0/$R_YEAR$R_MONTH$R_DAY/$HOST-$R_YEAR$R_MONTH$R_DAY.log"
>           owner(root) group(root) perm(0444)
>           template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n")
> template_escape(no));
> };
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>    

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list