Forgive my use of "then", I'm used to an 'if' having a 'then'. :) I've corrected it and I'm getting a clean syntax check. About to test it now. Thanks, -Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell) -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Faine, Mark R. (MSFC-IS40)[NICS] Sent: Monday, March 25, 2019 10:04 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [non-nasa source] Re: [syslog-ng] Setting and using variables Thanks, yes, I eventually figured that out, but that means that template is not needed. I don't need to change the format of the message only the destination path. I don't know if I can do file attachments here so I'll summarize: (I've sanitized and stripped out lines to make it shorter) destination d_file { file("/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log") create-dirs(yes) dir-owner("splunk") dir-group("splunk") dir-perm(0750)); ); In addition, I have a path that throws out some messages: log { source(pan_splunk); if {... destination { file("/dev/null"); }; }; }; I then have a log path that first sets the location variable in the message: if ( message('afrc') then { rewrite { set("afrc" value("location")); }; } elif ... ... } else { rewrite { set("unknown" value("location")); }; }; Then it sets the app variable: if ( tags('ASA-') ) { rewrite { set("asa" value("app")); }; } elif ... } else { rewrite { set("misc" value("app")); }; }; Then I set the destination to the file destination: destination(d_file); Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell) -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Fabien Wernli Sent: Monday, March 25, 2019 9:24 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Setting and using variables I think you're misunderstanding the template concept. A template is there to tell syslog-ng in what format each message will be written to the destination. I might be misunderstanding, but if you want the same template, different files but only one destination, this could be what you want: template my_template { template("$DATE $HOST $PROGRAM $MESSAGE\n"); }; destination d_file { file( "/var/log/remote/backup/$location/$HOST/$app/${HOST}_$app.log" template(my_template) ); }; ______________________________________________________________________________ Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailma... Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_... FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_sys... ______________________________________________________________________________ Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailma... Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_... FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_sys...