Is "tomcat" the $PROGRAM or the $FACILITY name? I would think it would be $PROGRAM like "ssh" or "apache." On Fri, Mar 25, 2011 at 9:44 AM, Steve Smith <ssmith@xpressdocs.com> wrote:

I’ve setup Syslog-NG to receive logs from other servers which have been configured as follows - Tomcat servers are forwarding logs as facility6 to rsyslog, which then forwards to central log server. Apache servers are forwarding logs as faility5 to rsyslog which then forwards to central log server.

When I receive these logs on the central log server, they are written to files as their facility name, i.e. local6.$DAY. Is there a way to change or re-write the facility name on the fly so that instead of local6.$DAY I can get the file written as tomcat.$DAY?

Here is the configuration I’m using to store the logs -

destination d_net {     file("/var/log/hosts/$YEAR/$MONTH/$HOST/$FACILITY.$DAY"         owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)     ); };

log {     source(s_net);     destination(d_net); };

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html