<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
You could do a regex on this.<br>
<br>
filter f_group {<br>
host('^(?<GROUP>group.)' type('pcre')
flags('store-matches'));<br>
};<br>
destination d_group {<br>
file("/log/$GROUP/$HOST");<br>
};<br>
log { source(s_local); filter(f_group); destination(d_group); };<br>
<br>
<br>
Sent: Fri Jul 22 2011 11:55:38 GMT-0600 (MST)<br>
From: Jakub Jankowski <a class="moz-txt-link-rfc2396E" href="mailto:shasta@toxcorp.com"><shasta@toxcorp.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <br>
Subject: Re: [syslog-ng] can syslog-ng extract part of the hostname
and make directory on the fly?
<blockquote cite="mid:20110722195538.12ef57e6@dirac.lan.toxcorp.com"
type="cite">
<pre wrap="">On Fri, 22 Jul 2011 09:28:35 -0500, fedora fedora wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have few hundreds of hosts, and say
hosta has dns name groupa-hosta
hostb has dns name groupbhostb
hostc has dns name groupc.hostc
..etc..etc (note the first 6 characters defines the group)
When a log comes in, can syslog-ng extracts the first 6 character from dns
name, and drop the log file to the corresponding group? (So log from hostb
will go under /log/groupb/groupahostb )
I cannot predefine the groups though, since i don't know how many groups
will be there, the only thing i know is the first 6 character of the
hostname will be the group name
</pre>
</blockquote>
<pre wrap="">
If there was a distinct separator between the group name and the rest, this
would be trivial, see similar example in 3.2 OSE administrator guide:
<a class="moz-txt-link-freetext" href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#example_parser">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#example_parser</a>
Without such separator, I think you'd have to use something I asked for: a
substring function. This isn't included in 3.2 yet, but you can backport it
quite easily (I'm using it without problems). See those threads:
<a class="moz-txt-link-freetext" href="https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016329.html">https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016329.html</a>
<a class="moz-txt-link-freetext" href="https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016359.html">https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016359.html</a>
<a class="moz-txt-link-freetext" href="https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016502.html">https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016502.html</a>
HTH
</pre>
</blockquote>
</body>
</html>