[syslog-ng] Destination regex question

[James Whitt]

My question is about using regex and breaking up the parts of a string to
use in the destination.  Here's the situation.  We have all of our firewalls
logging into one box that is running syslog-ng.  We want to break them up
into a directory structures such as:
/logs/location1/firewall/host1/
/logs/location2/firewall/host1/
/logs/location2/firewall/host2/

Now the hostname contains all the information needed to do this.  For
example, a host name might be:
firewallname.firewall.location1
anothername.firewall.location2

Up to this point, for each location I've had to do the following in syslog
to map to the correct directory:
destination location1_firewall {
file("/logs/location1/firewall/$HOST/$R_YEAR-$R_MONTH-$R_DAY.log"); };
filter location1_firewall { host(.firewall.location1$); };
log { source(external); filter(location1_firewall);
destination(location1_firewall); };

This works completely fine.  The only issue is that we have over 80
different locations, so this would need to have these three lines modified
and added for each location.  We're also adding more over time, so each time
another location is set up, we need to go through the configuration and
update.  I was hoping  there woud be a way to just combine them all
together.  Something like:

destination firewall {
     host(.firewall.(.+)$);
     file("/logs/$1/firewall/$HOST/$R_YEAR-$R_MONTH-$R_DAY.log");
};
filter firewall { host(.firewall.); };
log { source(external); filter(firewall); destination(firewall); };


I know the regex syntax might be different, but was curious if this kind of
situation is possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20061018/153f232e/attachment.htm