You could do a regex on this. filter f_group { host('^(?<GROUP>group.)' type('pcre') flags('store-matches')); }; destination d_group { file("/log/$GROUP/$HOST"); }; log { source(s_local); filter(f_group); destination(d_group); }; Sent: Fri Jul 22 2011 11:55:38 GMT-0600 (MST) From: Jakub Jankowski <shasta@toxcorp.com> To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] can syslog-ng extract part of the hostname and make directory on the fly?
On Fri, 22 Jul 2011 09:28:35 -0500, fedora fedora wrote:
I have few hundreds of hosts, and say
hosta has dns name groupa-hosta hostb has dns name groupbhostb hostc has dns name groupc.hostc
..etc..etc (note the first 6 characters defines the group)
When a log comes in, can syslog-ng extracts the first 6 character from dns name, and drop the log file to the corresponding group? (So log from hostb will go under /log/groupb/groupahostb )
I cannot predefine the groups though, since i don't know how many groups will be there, the only thing i know is the first 6 character of the hostname will be the group name If there was a distinct separator between the group name and the rest, this would be trivial, see similar example in 3.2 OSE administrator guide: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Without such separator, I think you'd have to use something I asked for: a substring function. This isn't included in 3.2 yet, but you can backport it quite easily (I'm using it without problems). See those threads: https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016329.html https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016359.html https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016502.html
HTH