Hello, For test purposes i have changed my configuration, as you told me to do: now i try $HOST, $SOURCEIP and $SOURCE_IP for the destination folder, but nothing works! Take a look at my config, please: # Syslog-ng configuration. # # what the default options are for files that it writes # options { sync(0); time_reopen(10); log_fifo_size(100); }; source src { unix-stream("/dev/log"); internal(); udp(ip("0.0.0.0") port(514)); }; filter f_messages { facility(local7); }; filter f_bootlog { facility(local7); }; filter f_authlog { facility(local7); }; #i know that this filter config doesn´t make sense; its only for testing purposes! destination messages { file("/var/log/syslog-ng/$SOURCE_IP/messages" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); }; destination bootlog { file("/var/log/syslog-ng/$SOURCEIP/boot.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); }; destination authlog { file("/var/log/syslog-ng/$HOST/secure.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_bootlog); destination(bootlog); }; log { source(src); filter(f_authlog); destination(authlog); }; The results of this config: destination messages (with $SOURCE_IP in the pathname) writes the file "messages" to "/var/log/syslog-ng/messages" destination bootlog (with $SOURCEIP in the pathname) writes the file "boot.log" to "/var/log/syslog-ng/boot.log" destination authlog (with $HOST in the pathname) works fine for Cisco network components! e.g. the logfile is stored in "/var/log/syslog-ng/10.146.18.3".Well!!! As i wrote in an earlier mail it don´t work with enterasys/cabletron stuff. They build folders like this: /var/log/syslog-ng # ll total 79 drwxr-x--- 2 root root 72 Jul 9 17:56 %CLI-E-FACUNKNWN, drwxr-x--- 2 root root 72 Jul 13 20:16 %CLI-E-INCMPCMD, drwxr-x--- 2 root root 72 Jul 9 19:05 %CLI-W-MODNOTFOUND, drwxr-x--- 2 root root 72 Jul 17 07:38 %CONFIG-E-SEARCH, drwxr-x--- 2 root root 72 Jul 14 00:23 %CONFIG-I-NOCHANGES, At least please take a look at the Syslogmessages sent by different network components! The Enterasys/Cabletron components send messages like this: Jul 17 09:10:48 %STP-I-PORT_STATUS,/10.146.12.16 Port status change detected: et.1.7 - Port Down The Cisco´s use another formatting: Jul 18 09:31:02 10.146.18.3/10.146.18.3 5392: 3w2d: %AMDP2_FE-5-EXCESSCOLL: Ethernet1/0 TDR=2, TRC=0 Could this cause the problem?? What can I do?? (perhaps some important information: i am using syslog-ng version 1.4.14) Thank you in advance manfred bürger -----Ursprüngliche Nachricht----- Von: Balazs Scheidler [mailto:bazsi@balabit.hu] Gesendet: Mittwoch, 17. Juli 2002 13:35 An: syslog-ng@lists.balabit.hu Betreff: Re: [syslog-ng]logfile save problem (again ;) On Wed, Jul 17, 2002 at 11:33:41AM +0200, Buerger, Manfred wrote:
hello,
i have changed my config as you told me to do:
destination local7 { file("/var/log/syslog-ng/$SOURCEIP/local7.log" sync(0) log_fifo_size(10) create_dirs(yes) owner(root) group(system) perm(0660) dir_perm(0770)); };
but i have still the same problem! the message: "Jul 17 02:19:19 %STATIC-W-GWAYNOTREACH,/10.146.18.5 Gateway 172.28.3.126 is not reachable." is stored in "/var/log/syslog-ng/%STATIC-W-GWAYNOTREACH,/local7.log" and not in "/var/log/syslog-ng/10.146.18.5/local7.log" !!!
Are you sure you have reloaded the configuration? SOURCE_IP always inserts IP addresses, as the following snippet shows: case M_SOURCE_IP: { char *ip; if (msg->saddr) { CAST(inet_address_info, addr, msg->saddr); ip = inet_ntoa(addr->sa.sin_addr); } else { ip = "127.0.0.1"; } length = append_string(dest, left, ip, strlen(ip), escape); break; } -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html