[syslog-ng] Filters to sort by host then service?

Wed May 2 21:53:45 CEST 2007

I am working on setting up a central syslog-ng server running on
FreeBSD 6-STABLE. I have local logging setup. I also have the service
listening on udp and tcp ports. I need help to figure out how to have
a filter so it filters by hostname then by service.

syslog-ng.conf
####################
# Options
####################
options { keep_hostname(yes); long_hostnames(off); sync(0); };

####################
# Sources
####################
source local { file("/dev/klog" log_prefix("kernel: "));
unix-dgram("/var/run/log");
                internal(); tcp(keep-alive(yes)); udp(); };

####################
# Destinations
####################
# Destination Files from Local Host
destination all { file("/var/log/all.log"); };
destination la_cron { file("/var/log/cron.log"); };
destination la_sudo { file("/var/log/sudo.log"); };
destination ld_sshd { file("/var/log/sshd.log"); };
destination ls_kernel { file("/var/log/kernel.log"); };

####################
# Filters
####################
filter fa_cron { match("cron[\[0-9]+\]"); };
filter fa_sudo { match("sudo:"); };
filter fd_sshd { match("sshd[\[0-9]+\]") and match("Server listening")
                or match("Connection from") or match("client software version")
                or match("Accepted password") or match("Failed password")
                or match("Connection closed") or match("Closing connection")
                or match("subsystem request") or match("Received signal 15"); };
filter f_kernel { match("kernel: "); };
filter f_status { host("status"); };
filter f_terms { not match("cron[\[0-9]+\]") and not match("sudo:")
                and not match("sshd[\[0-9]+\]") and not match("kernel: "); };

####################
# Logs
####################
# Logs for Local Host
log { source(local); filter(f_status); filter(f_terms); destination(all); };
log { source(local); filter(f_status); filter(fa_cron); destination(la_cron); };
log { source(local); filter(f_status); filter(fa_sudo); destination(la_sudo); };
log { source(local); filter(f_status); filter(fd_sshd); destination(ld_sshd); };
log { source(local); filter(f_status); filter(f_kernel);
destination(ls_kernel); };
----------

With the above I can sort by the local machine which is named status,
then it filters by service. I would like logs to go in the following
format.

/storage/logs/$YEAR/$MONTH/$DAY/$HOST/$service_filter.log

So, I could use my service level filters like for sshd or whatever.
Examples would be like the following.

FQDN: server1.test.com, running sshd
FQDN: server2.test.com, running named

/storage/logs/2007/05/02/server1.test.com/sshd.log
/storage/logs/2007/05/02/server2.test.com/named.log

How would I go about doing this? I would appreciate any suggestions. Thanks.

Phusion