[syslog-ng]Macro question

[McNutt, Justin M.]

Hey all,

I'm new to the list, and fairly new to syslog-ng, so I hope I'm not =
asking a VFAQ (although a perusal of the documentation and the mailing =
list archives suggests that I'm not, so here goes).

I have a server (dnps-linux2) that is set up as an SNMP trap receiver =
(Net-SNMP 5.0.3).  Traps are then reformatted and sent to the local =
host's syslog service (via logger(2), I think).  They arrive using =
facility local0.  This part works.

The part that sucks is that the IP address of the original trap sender =
is embedded in the $MSG portion of the entry. Here's an example:

Mar 12 15:33:47 dnps-linux2 snmptrapd[797]: 128.206.169.240: Enterprise =
Specific Trap (blah blah blah)

I'm trying to set up a destination that will split these up by sender, =
but $HOST always returns "dnps-linux2".  $PROGRAM will return snmptrapd. =
 I need to do something like this:

source s_sys { (all the usual sources) };

filter f_snmptrap {
	facility(local0) and program(snmptrapd);
};

destination d_snmptrap {
	file("/usr/log/traps/$SENDER/$YEAR.$MONTH.$DAY.traps");
};

log {
	source(s_sys);
	filter(f_snmptrap);
	destination(d_snmptrap);
};

In the examples above, $SENDER should resolve to "128.206.169.240", =
perhaps by somehow matching $MSG against "^(\d+\.\d+\.\d+\.\d+):".

Is this possible in any version of syslog-ng?  I'm currently running =
1.5.25 (on RedHat 7.3), but I don't have any qualms about upgrading if I =
can get this function (which I assume would go in the filter{} clause?).

Any help is appreciated.  Thanks!

Justin McNutt
Network Systems Analyst
DNPS, Mizzou Telecom
(573) 882-5183

In personal conversations with technical people, I call myself a hacker. =
But
when I'm talking to journalists I just say "programmer" or something =
like that.
        -- Linus Torvalds