You would have to follow up with the author to see if it is implimented yet, but there might be a solution using the regular expression functionality of syslog-ng. *** This has not yet been implimented. *** *** This post is to show how usefull such a feature could be. *** The basic idea is to match a regular expression on the host in the filter section and use the matched substring in the template. Log this to a *second* syslog-ng that does the writing to the files. I know that this syntax was proposed by someone (me) so it is not yet into the current distribution of syslog-ng (Balazs - note to raise the priority :-). In syslog-ng server 1 source network { ... }; filter multi-interface { host("^(.*)e[0-9]+(\..*)?$" fullhost myhost domain); }; template rewrite { template("<PRI> $S_DATE $myhost$domain $MESSAGE"); template_escape(no); }; template raw { template("<PRI> $S_DATE $HOST $MESSAGE"); template_escape(no); }; destination second_syslog_rewrite { ... template(rewrite); }; destination second_syslog_raw { ... template(raw); }; log { source(network); filter(multi-interface); destination(second_syslog_rewrite); flags(final); }; log { source(network); filter(multi-interface); destination(second_syslog_raw); flags(final); }; The you use your second syslog with the normal "HOST" macro because it will never see the hostnames with the "e#" ending, they will have already been truncated. Thinking this through a little more, you could use the filter of filter multi-interface { host("^(.*)(e[0-9]+)?(\..*)?$" fullhost myhost interface domain); }; and then use the macros $myhost$domain in place of all of your $HOST macros and not require the second syslog server/instance at all. Evan. mobidyc wrote:
2007/8/12, Jim Hendrick <jrhendri@maine.rr.com>:
Excuse me if you've already thought of this but, I assume your servers have multiple NICs on separate networks. Why would the same server forward its syslog messages to your central log server using different NICs? Wouldn't normal routing force it to connect using one NIC all the time?
no, one reason why we use multiple network is that we have at least one network backup for servers.
i.e. is this really a problem? Have you seen the same server use different
NICs to talk to your log server?
yes
If you really are seeing this (and can't fix it at the source) I suppose you
could use a filter to look at the messages and define different destinations for each server, using a regexp on the host to determine which to put where.
to difficult to maintain, we have often some servers who are added to the network, i could write a shell script for auto-generate a config file but that seems ugly. but apparently, there is only ugly solutions for what i want:
i could either: - put statically my servers in /etc/hosts - put statically my servers in the syslog-ng.conf - auto-create a syslog-ng.conf file each days through a crontab - hack the syslog-ng source - pass by program(); and call a script for auto-generate symlink
as you can see, there is multiple solutions, i will choose one of them i think.
thanks all for your help.
-- Mobidyc
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria