[syslog-ng] how rewrite the HOST macro - really feature request for user based macro definitons.
Evan Rempel
erempel at uvic.ca
Mon Aug 13 18:00:49 CEST 2007
You would have to follow up with the author to see if it is implimented yet, but
there might be a solution using the regular expression functionality of syslog-ng.
*** This has not yet been implimented. ***
*** This post is to show how usefull such a feature could be. ***
The basic idea is to match a regular expression on the host in the filter section
and use the matched substring in the template. Log this to a *second* syslog-ng
that does the writing to the files.
I know that this syntax was proposed by someone (me) so it is not yet into the current
distribution of syslog-ng (Balazs - note to raise the priority :-).
In syslog-ng server 1
source network { ... };
filter multi-interface { host("^(.*)e[0-9]+(\..*)?$" fullhost myhost domain); };
template rewrite { template("<PRI> $S_DATE $myhost$domain $MESSAGE"); template_escape(no); };
template raw { template("<PRI> $S_DATE $HOST $MESSAGE"); template_escape(no); };
destination second_syslog_rewrite { ... template(rewrite); };
destination second_syslog_raw { ... template(raw); };
log { source(network); filter(multi-interface); destination(second_syslog_rewrite); flags(final); };
log { source(network); filter(multi-interface); destination(second_syslog_raw); flags(final); };
The you use your second syslog with the normal "HOST" macro because it will never
see the hostnames with the "e#" ending, they will have already been truncated.
Thinking this through a little more, you could use the filter of
filter multi-interface { host("^(.*)(e[0-9]+)?(\..*)?$" fullhost myhost interface domain); };
and then use the macros $myhost$domain
in place of all of your $HOST macros and not require the second syslog server/instance at all.
Evan.
mobidyc wrote:
> 2007/8/12, Jim Hendrick <jrhendri at maine.rr.com>:
>> Excuse me if you've already thought of this but, I assume your servers
>> have
>> multiple NICs on separate networks. Why would the same server forward its
>> syslog messages to your central log server using different NICs? Wouldn't
>> normal routing force it to connect using one NIC all the time?
>
>
> no, one reason why we use multiple network is that we have at least one
> network backup for servers.
>
>
> i.e. is this really a problem? Have you seen the same server use different
>> NICs to talk to your log server?
>
>
> yes
>
> If you really are seeing this (and can't fix it at the source) I suppose you
>> could use a filter to look at the messages and define different
>> destinations
>> for each server, using a regexp on the host to determine which to put
>> where.
>>
>
> to difficult to maintain, we have often some servers who are added to the
> network,
> i could write a shell script for auto-generate a config
> file but that seems ugly.
> but apparently, there is only ugly solutions for what i want:
>
> i could either:
> - put statically my servers in /etc/hosts
> - put statically my servers in the syslog-ng.conf
> - auto-create a syslog-ng.conf file each days through a crontab
> - hack the syslog-ng source
> - pass by program(); and call a script for auto-generate symlink
>
> as you can see, there is multiple solutions, i will choose one of them i
> think.
>
> thanks all for your help.
>
> --
> Mobidyc
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
--
Evan Rempel erempel at uvic.ca
Senior Programmer Analyst 250.721.7691
Computing Services
University of Victoria
More information about the syslog-ng
mailing list