filter f_host { host(^([^0-9]+)[0-9]+); }; destination d_host {file("/log1/syslog/$1/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $1 $MSG\n") template_escape(no) ); }; log { source(your_source); filter(f_host); destination(d_host); }; This will log anything that is non-numeric followed by numbers to the non-numeric path, and "spoof" the hostname as if it were the non-numeric host. You may with to put the $host macro in place of the $1 in the template. Alternatively, if you have a limited number of server types, you could do filter f_web { host(^web[0-9]+); }; destination d_web { file("/log1/syslog/web/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> web $MSG\n") template_escape(no) ); }; log { source(your_source); filter f_web; destination(d_web); }; for each server type. Evan Rempel Cliff Fogle wrote:

I have several server types, like web001-web100 and thumb001-thumb010 or db001-db004

I want each server type to log to the same file and I can't for the life of me figure out a regex for $HOST in the destination statement to strip numerals.

Where the first $HOST is below I want to do something like a sed "s/[0-9]*$//"

destination d_host { file("/log1/syslog/$HOST/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY" template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) ); };

Thanks for any help you can provide. I've been banging my head against google for hours now... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html