I had that for the most part, but it didn't work. I was using host in my filter (hostname throws a syntax error). Here is what I have for the most part for that section: filter f_filter { host("^[0-9a-zA-Z\-]+\.domain\.[0-9a-zA-Z\-]+$"); }; destination f_logs { file("/logs/$1/$2/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(external); filter(f_filter); destination(f_logs); flags(final); }; When I start this, it does filter correctly, but it doesn't place them in the correct directories. Another example of what it does. Hostname: abc.domain.xyz It saves the log information in: /logs/abc.domain.xyz/2008-01-28.log It completely ignores the $1/$2. I had restarted it and even changed the path to verify that it is reading the new configuration file. On Jan 28, 2008 3:16 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:
I had asked this question about a year ago, but was told to wait for the new 2.0 version. I'm currently running the latest syslog-ng 2.0.7.
What I would like to do is put the line in a specific file based on part of the hostname. For example:
Hostname: subdomain.domain.tld
destination customer_firewall_logs { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };
WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would like to be able to regex this information out of the hostname to use in the destination. Is this possible and any tips on getting it to work correctly would be greatly appreciated.
You can do something like this:
filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); };
Then your TLD is in the $1 macro, e.g. you can do something like:
destination d_file { file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); }; ^^^
You can use up to 256 different $NNN macros, but only one regexp.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html