I had that for the most part, but it didn't work. I was using host in my filter (hostname throws a syntax error). Here is what I have for the most part for that section:<br><br>filter f_filter { host("^[0-9a-zA-Z\-]+\.domain\.[0-9a-zA-Z\-]+$"); };<br>
destination f_logs { file("/logs/$1/$2/$HOST/$YEAR-$MONTH-$DAY.log"); };<br>log { source(external);<br> filter(f_filter);<br> destination(f_logs);<br> flags(final);<br>};<br><br>When I start this, it does filter correctly, but it doesn't place them in the correct directories. Another example of what it does.<br>
<br>Hostname: abc.domain.xyz<br>It saves the log information in: /logs/abc.domain.xyz/2008-01-28.log<br><br>It completely ignores the $1/$2. I had restarted it and even changed the path to verify that it is reading the new configuration file.<br>
<br><br><div class="gmail_quote">On Jan 28, 2008 3:16 PM, Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c"><br>On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:<br>> I had asked this question about a year ago, but was told to wait for<br>> the new 2.0 version. I'm currently running the latest syslog-ng<br>
> 2.0.7.<br>><br>> What I would like to do is put the line in a specific file based on<br>> part of the hostname. For example:<br>><br>> Hostname: subdomain.domain.tld<br>><br>> destination customer_firewall_logs<br>
> { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };<br>><br>> WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the<br>> hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would<br>
> like to be able to regex this information out of the hostname to use<br>> in the destination. Is this possible and any tips on getting it to<br>> work correctly would be greatly appreciated.<br><br></div></div>
You can do something like this:<br><br>filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); };<br><br>Then your TLD is in the $1 macro, e.g. you can do something like:<br><br>destination d_file { file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };<br>
^^^<br><br>You can use up to 256 different $NNN macros, but only one regexp.<br><font color="#888888"><br>--<br>Bazsi<br><br>_______________________________________________<br>syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br></font></blockquote></div><br>