[syslog-ng] how rewrite the HOST macro - really feature request for user based macro definitons.

[Evan Rempel]

You would have to follow up with the author to see if it is implimented yet, but
there might be a solution using the regular expression functionality of syslog-ng.

***   This has not yet been implimented.   ***
***   This post is to show how usefull such a feature could be.   ***

The basic idea is to match a regular expression on the host in the filter section
and use the matched substring in the template. Log this to a *second* syslog-ng
that does the writing to the files.

I know that this syntax was proposed by someone (me) so it is not yet into the current
distribution of syslog-ng (Balazs - note to raise the priority :-).

In syslog-ng server 1

source network { ... };

filter multi-interface { host("^(.*)e[0-9]+(\..*)?$" fullhost myhost domain); };

template rewrite { template("<PRI> $S_DATE $myhost$domain $MESSAGE"); template_escape(no); };
template raw     { template("<PRI> $S_DATE $HOST $MESSAGE"); template_escape(no); };

destination second_syslog_rewrite { ... template(rewrite); };
destination second_syslog_raw { ... template(raw); };

log  { source(network); filter(multi-interface); destination(second_syslog_rewrite); flags(final); };
log  { source(network); filter(multi-interface); destination(second_syslog_raw); flags(final); };

The you use your second syslog with the normal "HOST" macro because it will never
see the hostnames with the "e#" ending, they will have already been truncated.

Thinking this through a little more, you could use the filter of

filter multi-interface { host("^(.*)(e[0-9]+)?(\..*)?$" fullhost myhost interface domain); };

and then use the macros $myhost$domain
in place of all of your $HOST macros and not require the second syslog server/instance at all.

Evan.

mobidyc wrote:
> 2007/8/12, Jim Hendrick <jrhendri at maine.rr.com>:
>> Excuse me if you've already thought of this but, I assume your servers
>> have
>> multiple NICs on separate networks. Why would the same server forward its
>> syslog messages to your central log server using different NICs? Wouldn't
>> normal routing force it to connect using one NIC all the time?
> 
> 
> no, one reason why we use multiple network is that we have at least one
> network backup for servers.
> 
> 
> i.e. is this really a problem? Have you seen the same server use different
>> NICs to talk to your log server?
> 
> 
> yes
> 
> If you really are seeing this (and can't fix it at the source) I suppose you
>> could use a filter to look at the messages and define different
>> destinations
>> for each server, using a regexp on the host to determine which to put
>> where.
>>
> 
> to difficult to maintain, we have often some servers who are added to the
> network,
> i could write a shell script for auto-generate a config
> file but that seems ugly.
> but apparently, there is only ugly solutions for what i want:
> 
> i could either:
> - put statically my servers in /etc/hosts
> - put statically my servers in the syslog-ng.conf
> - auto-create a syslog-ng.conf file each days through a crontab
> - hack the syslog-ng source
> - pass by program(); and call a script for auto-generate symlink
> 
> as you can see, there is multiple solutions, i will choose one of them i
> think.
> 
> thanks all for your help.
> 
> --
> Mobidyc
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 


-- 
Evan Rempel                erempel at uvic.ca
Senior Programmer Analyst        250.721.7691
Computing Services
University of Victoria