[syslog-ng] need help with a match filter

Rory Toma rory at ooma.com
Mon Jan 25 23:38:46 CET 2010 

Hmmm... Example 3.40 in the 3.0 syslog-ng documentation would seem to 
suggest otherwise, or am I just misunderstanding the syntax?

On 1/25/10 2:24 PM, chris packham wrote:
> Someone else on the list may correct me but I think you'll find that the destination is evaluated at the time syslog is started (or restarted) not when a log message is processed. I'm pretty sure there was a discussion on the list about something similar a while back (although I couldn't find it in my emails)
>
> So short answer is that you can't use a file desination. You may however get some mileage out of writing a custom program destination and do the last bit of processing in your program.
>
>    
>>>> Rory Toma<rory at ooma.com>  01/25/10 5:12 PM>>>
>>>>          
> Looking more at the docs, it looks likes I also need a value for 3.0
> syntax. So I am trying something like below. However, the value of
> $foo_hostdir is not being set correctly. It is being set to
> "foo_hostdir". How do I get the value to be the value of the match?
>
> filter foo_filter {
>       match('host("foo_[0-9A-F]\{9\}$")'
>       value("foo_hostdir")
>       type("string")
>       );
> };
>
> # foo destinations
> destination foo_dest {
>
> file("/logs/$foo_hostdir/$R_YEAR$R_MONTH$R_DAY/$HOST-$R_YEAR$R_MONTH$R_DAY.log"
>       owner(root) group(root) perm(0444)
>       template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n")
> template_escape(no));
> };
>
> On 1/25/10 12:02 PM, Rory Toma wrote:
>    
>> I'm trying to dynamically create lognames and directories form the host
>> name that is sent. My hosts' names are of the form
>>
>> foo_<mac address>
>>
>> I want to create a destination that would be
>>
>> /logs/foo_<first 9 digits of mac address>//foo_.log
>>
>> Here is what I tried so far, and it does not work, but is close. Can
>> someone suggest a config that might work? Thx.
>>
>> I can do this individually, but having 100+ filters and 100+ log lines
>> in the config really slows things down.
>>
>> #filter for foo
>> filter foo_filter { match('host("foo_[0-9A-F]\{9\}$")'
>> flags("store-matches")); };
>>
>> # foo destinations
>> destination foo_dest {
>>
>> file("/logs/$0/$R_YEAR$R_MONTH$R_DAY/$HOST-$R_YEAR$R_MONTH$R_DAY.log"
>>            owner(root) group(root) perm(0444)
>>            template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n")
>> template_escape(no));
>> };
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>      
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list