Hello I have a question, i get logfiles from facility0, with these matter: AppID(0-9a-Z)-ThreadID(0-9a-Z)-DATE-TIME-MESSAGE i created a filter, with this content: filter f_flash_msg { match ("[0-9a-zA-Z]+-[0-9a-zA-Z]-*"); }; and destination destination df_out { file("/var/log/client/flashlog/$1/$2/$YEAR/$MONTH/ $DAY/$TIME.txt"); }; i need separate folders/files. the log line contains these datas: 1234-ABCD-2008-09-30-16-20-35-FatalError AppID-Thread-Date-Time-MSG i need this structure: /var/log/syslog-ng/flashlogs/1234/ABCD/2008/09/30/16.txt what is my mistake? Best Regards Csaba
Hello,
Hello
I have a question, i get logfiles from facility0, with these matter:
facility0, really? facility 0 is the kernel.
AppID(0-9a-Z)-ThreadID(0-9a-Z)-DATE-TIME-MESSAGE
This format won't get parsed the way you're expecting. Syslog isn't about feeding random data to the syslog daemon and expect the daemon to read your mind about what you want to achieve.
i created a filter, with this content: filter f_flash_msg { match ("[0-9a-zA-Z]+-[0-9a-zA-Z]-*"); };
This filter doesn't do capturing. You should look after regexps, especially about how to use parentheses. For example "([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-" does capturing.
and destination destination df_out { file("/var/log/client/flashlog/$1/$2/$YEAR/$MONTH/ $DAY/$TIME.txt"); };
As your regexp doesn't do clustering $1 $2 ... are uninitialised. And $YEAR $MONTH etc. contain the timestamp of the log - not the DATE-TIME part of the line you showed.
i need separate folders/files.
the log line contains these datas:
1234-ABCD-2008-09-30-16-20-35-FatalError AppID-Thread-Date-Time-MSG
I recommend to experiment a little with regexps. For example use sed (although a lot of escaping is needed in sed for extended regexps). When the sed expression works as you want then it is easy to transform it into a regexp usable in syslog-ng. For example capturing the first 4 fields of you log you should use this sed command (note the ^ anchor): sed 's/^\([0-9a-zA-Z]\+\)-\([0-9a-zA-Z]\+\)-\([0-9]\{4\}\)-\([0-9]\{2\}\)-/\1 \2 \3 \4 /' The regexp usable in syslog-ng would be: "^([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-([0-9]{4})-([0-9]{2})" and $1 $2 $3 $4 contain the data, so the destination filename would be "/var/log/syslog-ng/flashlogs/${1}/${2}/${3}/{4}"
i need this structure:
/var/log/syslog-ng/flashlogs/1234/ABCD/2008/09/30/16.txt
what is my mistake?
See above. hth, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Hello Sorry, i think local0. Mártha Csaba On 2008.10.01., at 10:05, Geller, Sandor (IT) wrote:
Hello,
Hello
I have a question, i get logfiles from facility0, with these matter:
facility0, really? facility 0 is the kernel.
AppID(0-9a-Z)-ThreadID(0-9a-Z)-DATE-TIME-MESSAGE
This format won't get parsed the way you're expecting. Syslog isn't about feeding random data to the syslog daemon and expect the daemon to read your mind about what you want to achieve.
i created a filter, with this content: filter f_flash_msg { match ("[0-9a-zA-Z]+-[0-9a-zA-Z]-*"); };
This filter doesn't do capturing. You should look after regexps, especially about how to use parentheses.
For example "([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-" does capturing.
and destination destination df_out { file("/var/log/client/flashlog/$1/$2/$YEAR/$MONTH/ $DAY/$TIME.txt"); };
As your regexp doesn't do clustering $1 $2 ... are uninitialised. And $YEAR $MONTH etc. contain the timestamp of the log - not the DATE-TIME part of the line you showed.
i need separate folders/files.
the log line contains these datas:
1234-ABCD-2008-09-30-16-20-35-FatalError AppID-Thread-Date-Time-MSG
I recommend to experiment a little with regexps. For example use sed (although a lot of escaping is needed in sed for extended regexps). When the sed expression works as you want then it is easy to transform it into a regexp usable in syslog-ng.
For example capturing the first 4 fields of you log you should use this sed command (note the ^ anchor): sed 's/^\([0-9a-zA-Z]\+\)-\([0-9a-zA-Z]\+\)-\([0-9]\{4\}\)-\ ([0-9]\{2\}\)-/\1 \2 \3 \4 /'
The regexp usable in syslog-ng would be: "^([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-([0-9]{4})-([0-9]{2})" and $1 $2 $3 $4 contain the data, so the destination filename would be "/var/log/syslog-ng/flashlogs/${1}/${2}/${3}/{4}"
i need this structure:
/var/log/syslog-ng/flashlogs/1234/ABCD/2008/09/30/16.txt
what is my mistake?
See above.
hth,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Geller, Sandor (IT)
-
Mártha Csaba