<div dir="ltr"><div><div><div>I am not sure what generates iptables.log and what's the format. You specified no-parse, which means that it will not try to parse timestamp and/or hostnames from it, but take one line and stuff that into the $MSG macro, in which case $HOST will be set to the name of the running host, at least on the client box.<br><br></div>On the server box, you can split incoming messages using the macro-capability of the file destination, e.g. you can do stuff like:<br><br></div>destination d_file {<br></div> file("/var/log/${HOST}/syslog");<br><div>};<br><br></div><div>Which will cause all messages to be logged to a per-host file, you can also include macros like $PROGRAM or both.<br><br></div><div>HTH,<br></div><div>Bazsi<br></div><div><div><br><br><br><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Thu, Nov 10, 2016 at 2:13 AM, Varugis Kurien <span dir="ltr"><<a href="mailto:vkurien@midfinsystems.com" target="_blank">vkurien@midfinsystems.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_4302374494319712246divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>I'm having some conniptions doing central logging using syslog-ng. Here is the scenario:</p>
<ol>
<li>I generate logs using syslog-ng on local servers and then send them to a log-destination server. Here is an example of some of the conf files on the generating server:</li></ol>
<p></p>
<div><b>more iptables.log.conf </b><br>
<i>source s_var_log_iptables.log { file("/var/log/iptables.log" program-override(var_log_<wbr>iptables.log) flags(no-parse)); };<br>
log { source(s_var_log_iptables.log)<wbr>; destination(d_midfin_logger_2)<wbr>; };</i></div>
<p></p>
<p><br>
</p>
<p></p>
<div><b>more midfin_logger_2.conf </b><br>
<i>template t_sdx_tagged {<br>
template("$ISODATE $HOST $PROGRAM $MSG<br>
");<br>
template_escape(no);<br>
};<br>
destination d_midfin_logger_2 { tcp( "10.4.16.161" port(514) template(t_sdx_tagged)); };<br>
<br>
</i><br>
<br>
What I am trying to do on the log host is to:<br>
<br>
<ol>
<li>Segregate at the top level by host. For each such host:
<ol>
<li>Split the logs into different directories so that for example, I'll have one directory for the audit log from that host, another for iptables etc - so that under each host I'll have /var/log/iptables.log etc.
<br>
</li></ol>
</li></ol>
I've been unable to grok the documentation to figure out quite how to do this and would really appreciate some help.<br>
<br>
thanks<br>
vk<br>
==<br>
<br>
<br>
</div>
<p></p>
</div>
</div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>