Hello! I have the exact same problem. I hadn't even thought of using $PROGRAM until I read about it in this thread. So I whacked together a very short syslog-ng.conf for testing. ------- options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); }; destination d_program { file("/var/syslog/$HOST/$PROGRAM"); }; destination d_facility {file("/var/syslog/$HOST/$FACILITY"); }; log { source("src"); destination("d_facility"); }; log { source("src"); destination("d_program"); }; ------- $HOST expands nicely but $PROGRAM and $FACILITY do not, unless the log message comes from the local machine. If the message is received via network everything ends up in "/var/syslog/$HOST/(NULL)" Here is an extract from one of the (NULL)-files. Feb 22 11:02:07 anarchy automount[13284]: running expiration on path /home Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik Feb 22 11:02:07 anarchy automount[13284]: expired /home/fredrik Feb 22 11:02:07 anarchy automount[13284]: expired /home/www Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session opened for user news by (u id=9) Feb 22 11:06:08 anarchy PAM_pwdb[13289]: (su) session closed for user news Feb 22 11:07:07 anarchy automount[13334]: running expiration on path /home Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik Feb 22 11:07:07 anarchy automount[13334]: expired /home/fredrik Feb 22 11:07:07 anarchy automount[13334]: expired /home/www Feb 22 11:08:32 anarchy logger: testing Feb 22 11:08:44 anarchy logger: testing again :-) Feb 22 11:10:03 anarchy sshd[13339]: log: Connection from 130.238.149.103 port 1021 Feb 22 11:10:04 anarchy sshd[13339]: fatal: Connection closed by remote host. /John On Tue, 22 Feb 2000, Balazs Scheidler wrote:
Feb 21 15:53:56 floyd/floyd sshd[12597]: Accepted password for red from 209.144.112.109 port 1050 Feb 21 15:54:01 floyd/floyd su[12608]: + pts/2 red-root Feb 21 16:00:07 floyd/floyd ntpdate[12633]: adjust time server 209.144.112.3 offset 0.094803 sec
I couldn't reproduce the problem. It worked great here, and created the files as needed.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu http://lists.balabit.hu/mailman/listinfo/syslog-ng