[syslog-ng] separe files question

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Wed Oct 1 10:05:23 CEST 2008 

Hello,

> Hello
>
> I have a question, i get logfiles from facility0, with these matter:

facility0, really? facility 0 is the kernel.

> AppID(0-9a-Z)-ThreadID(0-9a-Z)-DATE-TIME-MESSAGE

This format won't get parsed the way you're expecting. Syslog isn't
about feeding random data to the syslog daemon and expect the daemon
to read your mind about what you want to achieve.

> i created  a filter, with this content:
> filter f_flash_msg { match ("[0-9a-zA-Z]+-[0-9a-zA-Z]-*"); };

This filter doesn't do capturing. You should look after regexps,
especially about how to use parentheses.

For example "([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-" does capturing.

> and destination
> destination df_out {
> file("/var/log/client/flashlog/$1/$2/$YEAR/$MONTH/
> $DAY/$TIME.txt"); };

As your regexp doesn't do clustering $1 $2 ... are uninitialised. And
$YEAR $MONTH etc. contain the timestamp of the log - not the DATE-TIME
part of the line you showed.

> i need separate folders/files.
>
> the log line contains these datas:
>
> 1234-ABCD-2008-09-30-16-20-35-FatalError
> AppID-Thread-Date-Time-MSG

I recommend to experiment a little with regexps. For example use sed
(although a lot of escaping is needed in sed for extended regexps).
When the sed expression works as you want then it is easy to transform
it into a regexp usable in syslog-ng.

For example capturing the first 4 fields of you log you should use this
sed command (note the ^ anchor):
sed 's/^\([0-9a-zA-Z]\+\)-\([0-9a-zA-Z]\+\)-\([0-9]\{4\}\)-\([0-9]\{2\}\)-/\1 \2 \3 \4 /'

The regexp usable in syslog-ng would be:
"^([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-([0-9]{4})-([0-9]{2})"
and $1 $2 $3 $4 contain the data, so the destination filename would be
"/var/log/syslog-ng/flashlogs/${1}/${2}/${3}/{4}"

> i need this structure:
>
> /var/log/syslog-ng/flashlogs/1234/ABCD/2008/09/30/16.txt
>
> what is my mistake?

See above.

hth,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list