Globs can't extract matches into name-value pairs. Btw, pcre can also extract into named matches, so you can directly extract into $HOST. On Wed, Mar 25, 2020, 15:25 Syslogng <syslogng@master666.com> wrote:
Hi,
Thanks for you information, i manage to do this with:
filter f_host { match( 'original_source=[^\.]*' flags(store-matches) value('MSGONLY') type("pcre") ); };
destination d_host { file("/data/$1/messages.log") };
If it can help someone else.
Maybe a last question could be if it is not better to use glob in this case to reduce cpu usage ? But i didn't manage to do it with different try like : filter f_host { match( "original_source=*.example.com" flags(store-matches) value('MSGONLY') type("glob") ); };
---- On Tue, 24 Mar 2020 07:18:37 +0100 *Balazs Scheidler <bazsi77@gmail.com <bazsi77@gmail.com>>* wrote ----
Hi,
You can extract values from $MSG by using regexps (by using a regexp based filter with the flags(store-matches) option), or by using csv-parser() with a custom separator (this should be faster) or even db-parser. In any case, once you extracted the server name just make sure to store it in $HOST and then you can use $HOST in your destination filename.
On Mon, Mar 23, 2020 at 7:16 PM Syslogng <syslogng@master666.com> wrote:
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi,
We receive aggregated syslog from a server (all logs are send from 1 IP). Also all the events are mixed. The name of the host sending the initial traffic is in each event.
ex: 2020/03/23 [notice] [user] New original_source=SERV1.example.com Task=0 ....
How to recover SER1 which is always preceded by "original_source=" and followed by "example.com" to save it in a file for example /data/serv1.log I don't want a static filter (I know how to do it) but a dynamic one. If a new event arrives at original_source=SERV2.example.com I would like it to automatically create a /data/serv2.log
Could you help me please ?
thank you in advance
Pit
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq