[syslog-ng] Using Regex information for destination

James Whitt phikapjames at gmail.com
Mon Jan 28 21:30:30 CET 2008 

Nevermind, I caught my mistake.  Forgot ().  Thanks for the help.

On Jan 28, 2008 3:27 PM, James Whitt <phikapjames at gmail.com> wrote:

> I had that for the most part, but it didn't work.  I was using host in  my
> filter (hostname throws a syntax error).  Here is what I have for the most
> part for that section:
>
> filter f_filter { host("^[0-9a-zA-Z\-]+\.domain\.[0-9a-zA-Z\-]+$"); };
> destination f_logs { file("/logs/$1/$2/$HOST/$YEAR-$MONTH-$DAY.log"); };
> log { source(external);
>       filter(f_filter);
>       destination(f_logs);
>       flags(final);
> };
>
> When I start this, it does filter correctly, but it doesn't place them in
> the correct directories.  Another example of what it does.
>
> Hostname: abc.domain.xyz
> It saves the log information in: /logs/abc.domain.xyz/2008-01-28.log
>
> It completely ignores the $1/$2.  I had restarted it and even changed the
> path to verify that it is reading the new configuration file.
>
>
>
> On Jan 28, 2008 3:16 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:
>
> >
> > On Mon, 2008-01-28 at 14:55 -0500, James Whitt wrote:
> > > I had asked this question about a year ago, but was told to wait for
> > > the new 2.0 version.  I'm currently running the latest syslog-ng
> > > 2.0.7.
> > >
> > > What I would like to do is put the line in a specific file based on
> > > part of the hostname.  For example:
> > >
> > > Hostname: subdomain.domain.tld
> > >
> > > destination customer_firewall_logs
> > > { file("/logs/$TLD/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log");
> > };
> > >
> > > WHERE $TLD is the tld of the hostname, $DOMAIN is the domain from the
> > > hostname, and $SUBDOMAIN is teh subdomain from the hostname.  I would
> > > like to be able to regex this information out of the hostname to use
> > > in the destination.  Is this possible and any tips on getting it to
> > > work correctly would be greatly appreciated.
> >
> > You can do something like this:
> >
> > filter f_tld { hostname("^[a-zA-Z0-9]+\.\(.$\)$"); };
> >
> > Then your TLD is in the $1 macro, e.g. you can do something like:
> >
> > destination d_file {
> > file("/logs/$1/$DOMAIN/$SUBDOMAIN/$R_YEAR-$R_MONTH-$R_DAY.log"); };
> >                                 ^^^
> >
> > You can use up to 256 different $NNN macros, but only one regexp.
> >
> > --
> > Bazsi
> >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080128/d3e362f1/attachment.htm

More information about the syslog-ng mailing list