<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Note: I might have mixed up naming, whoops. But I believe now you know what to do.</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Attila Szakacs (aszakacs) <Attila.Szakacs@oneidentity.com><br>
<b>Sent:</b> Tuesday, February 18, 2020 9:06 AM<br>
<b>To:</b> Frank DiGennaro <frank@digennaro.com>; 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] Set log directory based on the source</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
        {margin-top:0;
        margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
Hi!</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
I would not mix up the two sources in this case. You can define multiple logpaths:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<span style="font-family:Consolas,Courier,monospace">@define server-log "/tmp/var/log/cron.log"</span><span><br>
</span>
<div><span style="font-family:Consolas,Courier,monospace">@define client-log "/tmp/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST/cron.log"</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">source s_local {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">...</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">source s_network {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">...</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">destination d_cron_client {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  file("`server-log`" create-dirs(yes));</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">destination d_cron_server {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  file("`client-log`" create-dirs(yes));</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">log {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  source(s_local);</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  destination(d_cron_client);</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">log {</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  source(s_network);</span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">  destination(d_cron_server);</span><br>
</div>
<span style="font-family:Consolas,Courier,monospace">};</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<span style="font-family:Consolas,Courier,monospace"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<span style="font-family:Consolas,Courier,monospace">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
Also the `create-dirs(yes)` option is necessary to allow syslog-ng to create the directories needed.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
I hope this does what you expect, if not, feel free to ask more <span id="x_🙂">🙂</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
Regards,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
Attila</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">
</div>
<br>
</span></div>
<div id="x_appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Frank DiGennaro <frank@digennaro.com><br>
<b>Sent:</b> Monday, February 17, 2020 3:15 PM<br>
<b>To:</b> 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] Set log directory based on the source</font>
<div> </div>
</div>
<div class="x_BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="x_PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hello;<br>
    Thanks for the input but I am still missing something here. This is what I have implemented but still can't get it to work.<br>
Thanks;<br>
Frank<br>
<br>
@define server-logdir "/var/log"<br>
@define client-logdir "/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST"<br>
@define logdir ""<br>
<br>
rewrite r_logdir {<br>
    set(<br>
        "server-logdir"<br>
        value( "logdir" )<br>
        condition( source( "s_local" ) )<br>
    );<br>
    set(<br>
        "client-logdir"<br>
        value( "logdir" )<br>
        condition( source( "s_network" ) )<br>
    );<br>
};<br>
<br>
source s_local {<br>
...<br>
};<br>
<br>
source s_network {<br>
...<br>
};<br>
<br>
destination d_cron {<br>
        file( "`logdir`/cron.log" );<br>
};<br>
<br>
log {<br>
    source( s_local );<br>
    source( s_network );<br>
    rewrite(r_logdir);<br>
    filter( f_cron );<br>
    destination( d_cron );<br>
};<br>
<br>
-----Original Message-----<br>
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Peter Kokai (pkokai)<br>
Sent: Thursday, January 30, 2020 12:14 PM<br>
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
Subject: Re: [syslog-ng] Set log directory based on the source<br>
<br>
Hello,<br>
<br>
You could use macro in order to create different logpath with one file destination:<br>
<br>
```<br>
destination d_local0 {<br>
  file( "${LOGDIR}/local/local0.log" );<br>
};<br>
```<br>
<br>
This is going to create a path based on the current logmessage $LOGDIR variable/macro.<br>
<br>
The question remains how to calculate $LOGDIR.<br>
One option you could use:<br>
<br>
```<br>
source s_local0 {<br>
        internal();<br>
};<br>
<br>
source s_network {<br>
        network(port(1111));<br>
};<br>
<br>
destination d_local {<br>
        file("${LOGDIR}/some/path.txt"); };<br>
<br>
rewrite r_logdir {<br>
  set("logdir-server" value("LOGDIR") condition( source("s_network") ) );<br>
  set("logdir-client" value("LOGDIR") condition( source("s_local0") ) ); };<br>
<br>
log {<br>
        source(s_local0);<br>
        source(s_network);<br>
<br>
        rewrite(r_logdir);<br>
<br>
        destination(d_local);<br>
};<br>
```<br>
<br>
The rewrite possible can be replaced, but if you have low number of different path I guess it is enough. (Also you could write more complex condition for different logdir names.)<br>
<br>
--<br>
Kokan<br>
<br>
On Thu, Jan 30, 2020 at 11:25:26AM -0500, Frank DiGennaro wrote:<br>
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
><br>
> Hello;<br>
>     I'm somewhat of a newbie when it comes to syslog-ng so forgive me if the question is somewhat basic. I am running syslog-ng 3.25 on both server and clients and would like to set a variable based on the source. This is what I have:<br>
><br>
> @define server-logdir "/var/log"<br>
> @define client-logdir "/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST"<br>
> @define logdir ""<br>
><br>
> source s_local {<br>
>     logdir `server-logdir`;  *No!<br>
>     ...<br>
>     ...<br>
> };<br>
> source s_network {<br>
>     logdir `client-logdir`;  *No!<br>
>     ...<br>
>     ...<br>
> };<br>
> destination d_local0 {<br>
>     file( "`logdir`/local/local0.log" ); };<br>
><br>
> The goal is to set 'logdir' to either 'server-logdir' or<br>
> 'client-logdir' and use it in the destination. I know there are probably several ways that this can be accomplished but I think this was will cut down on the number of lines in the configuration. So my question Is this. How do I set 'logdir' to either 'server-logdir'
 or 'client-logdir' in the source definition?<br>
> Thanks;<br>
><br>
> DiGennaro<br>
> Frank DiGennaro<br>
> 301-676-8193 (C)<br>
> frank@digennaro.com<<a href="mailto:frank@digennaro.com">mailto:frank@digennaro.com</a>><br>
><br>
<br>
> ______________________________________________________________________<br>
> ________ Member info:<br>
> <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist</a><br>
> s.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=02%7C01%7CPeter<br>
> .Kokai%40oneidentity.com%7C74d83ff1c9024e60428408d7a5a108c8%7C91c369b5<br>
> 1c9e439c989c1867ec606603%7C0%7C0%7C637159983378113505&amp;sdata=jRbzD6<br>
> 8qb8i3PvTtOwXN4XMQRG%2Fx2DLR%2FiUg%2FTUigfQ%3D&amp;reserved=0<br>
> Documentation:<br>
> <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b</a><br>
> alabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data<br>
> =02%7C01%7CPeter.Kokai%40oneidentity.com%7C74d83ff1c9024e60428408d7a5a<br>
> 108c8%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637159983378113505&<br>
> amp;sdata=GLC5NR2Fm4dmXz%2BtyRxRD4CnERaOKDBsQ11xSN0ykhs%3D&amp;reserve<br>
> d=0<br>
> FAQ:<br>
> <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b</a><br>
> alabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=02%7C01%7CPeter.Kokai%40one<br>
> identity.com%7C74d83ff1c9024e60428408d7a5a108c8%7C91c369b51c9e439c989c<br>
> 1867ec606603%7C0%7C0%7C637159983378113505&amp;sdata=xvZE3offYnT%2BLlR6<br>
> 7tlWPYwB26L5Mulaj7YQMViKDdU%3D&amp;reserved=0<br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804957506&sdata=BFj2A4txGZYuVT6Eq%2F9xD290QA%2FMxccox0SB%2BE%2F5cZc%3D&reserved=0" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="A7zVGkIIDXBruU1XGNdBy1oUoyDXooTGyLhiWN5TZJY+cyh8rz3ydne/TVVPW8tm7odzEcJnQ0yUus0Oi5x+NDhhmLHAQR7TYORchgf20jVNxZVVYdbOc82GBA+byQWhUDXvuwJg3M4OFFjD2uEYkJC9EUKXe6SGhQTf8naV5D8=">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=RuqJ7F0VKuuJ%2FhT8ufWaWipWFzU5DKLYLmxgumqefQ8%3D&amp;reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=yJsOP5Kua0NHxwyZqzFNKQddZ0jaV9xlMkmR1hFRZFk%3D&reserved=0" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="Vi/W2dxlASNrRgF6BQbzsrhnz4zKY+ihTKY3uhhCAkAo3icC7nl1i8O3SYqFc7y6A9WsrhtmH05hhg4QO68ItUcRGod2sIRgbahqKrgNNNBiaej21roSyJxLfBjKTg5nLHjaKUymu7B0f1tkFuPRkPnU7U3kAVhW5WWFL5zje3o=">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=bgP9jDwcFMkrKHUY5I3nROD%2B4sHG%2B2DupHhxbXFtZEM%3D&amp;reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=kY4J37l7%2FELmwY3KNpcMjATmIAv1xHXWFs76meS9j24%3D&reserved=0" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="DVJMNBiOyNcEqgAfH7i9blZG7KE1hdNZPFjPW9GMzQSGVNDXAgXr2yDKKwF8EOR/vgJHDGUQNIVbDQEiRs1FE+AHwSCjUmTfS/bBshz6sk+xbaMxfMuXnqrEIr4NQoc018hxdh+o68SQJ+volKaE+wCaxURDlrGBxi2wA2rVVqo=">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=zbsHBCoLmI2%2F85Sdvuw1HM5u3LTzULKUvd%2BpiWCCZFg%3D&amp;reserved=0</a><br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=dGMOoXOyoE7uBGq%2BWDxOOriRoQqaSsIHboV07dnzjys%3D&reserved=0" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="LY/VLUQgUOB7Vcjn1M52lFRq6c5lJ2lKy1JVz3SqBjXmNQ53sITssBxpYSFmEk4TBEGavX7NbQfbPUUU44zzX5Gv6nxQ5kV82QIC7OeIr4NB0IjI9A+By62ajU11SJTnC8npDjW0HFZjv/RrlrCa789QBNSO9AtH6U5ubyR+K1s=">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=RuqJ7F0VKuuJ%2FhT8ufWaWipWFzU5DKLYLmxgumqefQ8%3D&amp;reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804977419&sdata=CLk7qQOOqGoKJTNcIZXXLVQ75Ig9bw550UsXkv10kkU%3D&reserved=0" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="C+p7cQscJUhnF1iiFSDnOlyvISk5XVDCihprHkOXEUd/9ZvfHxROV/P4/kfbtNrZzukt9dE2wmoB2RUM+Kw3hcOI0p7oVOCLV5Uyi+hJ9j2YeeqHHcamnoGO0dY5grjdefcXb7BT1DB18UaWzZJsjyiiy+189BA4xG2MqkkNKYc=">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=bgP9jDwcFMkrKHUY5I3nROD%2B4sHG%2B2DupHhxbXFtZEM%3D&amp;reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804977419&sdata=T5YHRssJIhs1YesYjzVfNw1G9qPRs86L3crAdqK2Is0%3D&reserved=0" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="vcx6fGpM2Sbs4GdbeV9dkMkkGskL2tnp//YTJ3I3V3Vis+hrcdLusLDYGPPJlsRHk1SsMXZ3gxwNP90j1+CFM/7IDhvdeCdym/ZGMjfx0MQiJO0pROefib//FJBI89phjB+dhLns7P1RaoLI0c5uY9ZcJXvqeRB+rselm++sUfs=">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&amp;sdata=zbsHBCoLmI2%2F85Sdvuw1HM5u3LTzULKUvd%2BpiWCCZFg%3D&amp;reserved=0</a><br>
<br>
</div>
</span></font></div>
</div>
</div>
</body>
</html>