I had asked this question about a year ago, but was told to wait for the new 2.0 version. I'm currently running the latest syslog-ng 2.0.7. What I would like to do is put the line in a specific file based on part of the hostname. For example: Hostname: subdomain.domain.tld destination customer_firewall_logs { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); }; WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would like to be able to regex this information out of the hostname to use in the destination. Is this possible and any tips on getting it to work correctly would be greatly appreciated.
On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:
I had asked this question about a year ago, but was told to wait for the new 2.0 version. I'm currently running the latest syslog-ng 2.0.7.
What I would like to do is put the line in a specific file based on part of the hostname. For example:
Hostname: subdomain.domain.tld
destination customer_firewall_logs { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };
WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would like to be able to regex this information out of the hostname to use in the destination. Is this possible and any tips on getting it to work correctly would be greatly appreciated.
You can do something like this: filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); }; Then your TLD is in the $1 macro, e.g. you can do something like: destination d_file { file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); }; ^^^ You can use up to 256 different $NNN macros, but only one regexp. -- Bazsi
I had that for the most part, but it didn't work. I was using host in my filter (hostname throws a syntax error). Here is what I have for the most part for that section: filter f_filter { host("^[0-9a-zA-Z\-]+\.domain\.[0-9a-zA-Z\-]+$"); }; destination f_logs { file("/logs/$1/$2/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(external); filter(f_filter); destination(f_logs); flags(final); }; When I start this, it does filter correctly, but it doesn't place them in the correct directories. Another example of what it does. Hostname: abc.domain.xyz It saves the log information in: /logs/abc.domain.xyz/2008-01-28.log It completely ignores the $1/$2. I had restarted it and even changed the path to verify that it is reading the new configuration file. On Jan 28, 2008 3:16 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:
I had asked this question about a year ago, but was told to wait for the new 2.0 version. I'm currently running the latest syslog-ng 2.0.7.
What I would like to do is put the line in a specific file based on part of the hostname. For example:
Hostname: subdomain.domain.tld
destination customer_firewall_logs { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };
WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would like to be able to regex this information out of the hostname to use in the destination. Is this possible and any tips on getting it to work correctly would be greatly appreciated.
You can do something like this:
filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); };
Then your TLD is in the $1 macro, e.g. you can do something like:
destination d_file { file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); }; ^^^
You can use up to 256 different $NNN macros, but only one regexp.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Nevermind, I caught my mistake. Forgot (). Thanks for the help. On Jan 28, 2008 3:27 PM, James Whitt <phikapjames@gmail.com> wrote:
I had that for the most part, but it didn't work. I was using host in my filter (hostname throws a syntax error). Here is what I have for the most part for that section:
filter f_filter { host("^[0-9a-zA-Z\-]+\.domain\.[0-9a-zA-Z\-]+$"); }; destination f_logs { file("/logs/$1/$2/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(external); filter(f_filter); destination(f_logs); flags(final); };
When I start this, it does filter correctly, but it doesn't place them in the correct directories. Another example of what it does.
Hostname: abc.domain.xyz It saves the log information in: /logs/abc.domain.xyz/2008-01-28.log
It completely ignores the $1/$2. I had restarted it and even changed the path to verify that it is reading the new configuration file.
On Jan 28, 2008 3:16 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:
I had asked this question about a year ago, but was told to wait for the new 2.0 version. I'm currently running the latest syslog-ng 2.0.7.
What I would like to do is put the line in a specific file based on part of the hostname. For example:
Hostname: subdomain.domain.tld
destination customer_firewall_logs { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };
WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the hostname, and $SUBDOMAIN is teh subdomain from the hostname. I would like to be able to regex this information out of the hostname to use in the destination. Is this possible and any tips on getting it to work correctly would be greatly appreciated.
You can do something like this:
filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); };
Then your TLD is in the $1 macro, e.g. you can do something like:
destination d_file { file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); }; ^^^
You can use up to 256 different $NNN macros, but only one regexp.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I just noticed an issues with my filter using regex, so I'm hoping that someone can help me figure this out. I'm running version 2.0.9. I have internal hostnames that I use with a central log system. The issue is that if I use a host like: hostr01.w01.primary It should go to /logs/primary/wireless/hostr01.r01.primary/, but if the router filter is above the wireless filter, the it's actually going into /logs/primary/wireless/hostr01.r01.primary/. It appears to be ignoring or matching the . even thought I have it with a \.. Any help with this would be greatly appreciated. If I didn't have the final(), it would log to both places. Here is the snippet of the config that deals with this. filter router_filter { host("^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$"); }; destination router_logs { file("/logs/$1/router/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(s_external); filter(router_filter); destination(router_logs); flags(final); }; filter wireless_filter { host("^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$"); }; destination wireless_logs { file("/logs/$1/wireless/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(s_external); filter(wireless_filter); destination(wireless_logs); flags(final); };
Your regular expressions do look ok - I tested them interactively in tclsh and the "wireless" one does match hostr01.w01.primary while the "router" one does not. So this does seems like a syslog-ng oddity. fegan> tclsh % set hn {hostr01.w01.primary} hostr01.w01.primary % % set router {^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$} ^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$ % % regexp $router $hn 0 % % set wireless {^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$} ^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$ % % regexp $wireless $hn 1 % exit fegan> ________________________________ From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of James Whitt Sent: 10 July 2008 22:53 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Using Regex information for destination I just noticed an issues with my filter using regex, so I'm hoping that someone can help me figure this out. I'm running version 2.0.9.<http://2.0.9.> I have internal hostnames that I use with a central log system. The issue is that if I use a host like: hostr01.w01.primary It should go to /logs/primary/wireless/hostr01.r01.primary/, but if the router filter is above the wireless filter, the it's actually going into /logs/primary/wireless/hostr01.r01.primary/. It appears to be ignoring or matching the . even thought I have it with a \.. Any help with this would be greatly appreciated. If I didn't have the final(), it would log to both places. Here is the snippet of the config that deals with this. filter router_filter { host("^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$"); }; destination router_logs { file("/logs/$1/router/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(s_external); filter(router_filter); destination(router_logs); flags(final); }; filter wireless_filter { host("^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$"); }; destination wireless_logs { file("/logs/$1/wireless/$HOST/$YEAR-$MONTH-$DAY.log"); }; log { source(s_external); filter(wireless_filter); destination(wireless_logs); flags(final); };
On Fri, 2008-07-11 at 01:19 +0000, Fegan, Joe wrote:
Your regular expressions do look ok - I tested them interactively in tclsh and the "wireless" one does match hostr01.w01.primary while the "router" one does not. So this does seems like a syslog-ng oddity.
fegan> tclsh % set hn {hostr01.w01.primary} hostr01.w01.primary % % set router {^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$} ^[0-9a-zA-Z\-]+\.r[0-9]{2}\.([0-9a-zA-Z\-]+)$ % % regexp $router $hn 0 % % set wireless {^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$} ^[0-9a-zA-Z\-]+\.w[0-9]{2}\.([0-9a-zA-Z\-]+)$ % % regexp $wireless $hn 1 % exit fegan>
Note that syslog-ng strings use '\' as an escape character, just like in C, so you need to escape \\ to produce a single '\' character in the regexp. I know this is bad, but changing the quoting style is not really possible without breaking a lot of people's configuration files. "{^[0-9a-zA-Z\\-]+\\.r[0-9]{2}\\.([0-9a-zA-Z\\-]+)$}" Maybe a note in the documentation about this would be useful. Ccing the doc. team about this.
-- Bazsi
participants (3)
-
Balazs Scheidler
-
Fegan, Joe
-
James Whitt