I am not sure what generates iptables.log and what's the format. You specified no-parse, which means that it will not try to parse timestamp and/or hostnames from it, but take one line and stuff that into the $MSG macro, in which case $HOST will be set to the name of the running host, at least on the client box. On the server box, you can split incoming messages using the macro-capability of the file destination, e.g. you can do stuff like: destination d_file { file("/var/log/${HOST}/syslog"); }; Which will cause all messages to be logged to a per-host file, you can also include macros like $PROGRAM or both. HTH, Bazsi -- Bazsi On Thu, Nov 10, 2016 at 2:13 AM, Varugis Kurien <vkurien@midfinsystems.com> wrote:
I'm having some conniptions doing central logging using syslog-ng. Here is the scenario:
1. I generate logs using syslog-ng on local servers and then send them to a log-destination server. Here is an example of some of the conf files on the generating server:
*more iptables.log.conf *
*source s_var_log_iptables.log { file("/var/log/iptables.log" program-override(var_log_iptables.log) flags(no-parse)); }; log { source(s_var_log_iptables.log); destination(d_midfin_logger_2); };*
*more midfin_logger_2.conf *
*template t_sdx_tagged { template("$ISODATE $HOST $PROGRAM $MSG "); template_escape(no); }; destination d_midfin_logger_2 { tcp( "10.4.16.161" port(514) template(t_sdx_tagged)); }; *
What I am trying to do on the log host is to:
1. Segregate at the top level by host. For each such host: 1. Split the logs into different directories so that for example, I'll have one directory for the audit log from that host, another for iptables etc - so that under each host I'll have /var/log/iptables.log etc.
I've been unable to grok the documentation to figure out quite how to do this and would really appreciate some help.
thanks vk ==
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq