My question is about using regex and breaking up the parts of a string to use in the destination. Here's the situation. We have all of our firewalls logging into one box that is running syslog-ng. We want to break them up into a directory structures such as:
<br>/logs/location1/firewall/host1/<br>/logs/location2/firewall/host1/<br>/logs/location2/firewall/host2/<br>
<br>Now the hostname contains all the information needed to do this. For example, a host name might be:<br>firewallname.firewall.location1<br>anothername.firewall.location2<br><br>Up to this point, for each location I've had to do the following in syslog to map to the correct directory:
<br>destination location1_firewall { file("/logs/location1/firewall/$HOST/$R_YEAR-$R_MONTH-$R_DAY.log"); };<br>filter location1_firewall { host(.firewall.location1$); };<br>log { source(external); filter(location1_firewall); destination(location1_firewall); };
<br><br>This works completely fine. The only issue is that we have over 80 different locations, so this would need to have these three lines modified and added for each location. We're also adding more over time, so each time another location is set up, we need to go through the configuration and update. I was hoping there woud be a way to just combine them all together. Something like:
<br><br>destination firewall {<br> host(.firewall.(.+)$);<br> file("/logs/$1/firewall/$HOST/$R_YEAR-$R_MONTH-$R_DAY.log"); <br>};<br>filter firewall { host(.firewall.); };<br>log { source(external); filter(firewall); destination(firewall); };
<br><br><br>I know the regex syntax might be different, but was curious if this kind of situation is possible.<br>