[syslog-ng] separe files question

Mártha Csaba csaba.martha at tele1.com
Wed Oct 1 10:27:38 CEST 2008 

Hello

Sorry, i think local0.


Mártha Csaba


On 2008.10.01., at 10:05, Geller, Sandor (IT) wrote:

> Hello,
>
>> Hello
>>
>> I have a question, i get logfiles from facility0, with these matter:
>
> facility0, really? facility 0 is the kernel.
>
>> AppID(0-9a-Z)-ThreadID(0-9a-Z)-DATE-TIME-MESSAGE
>
> This format won't get parsed the way you're expecting. Syslog isn't
> about feeding random data to the syslog daemon and expect the daemon
> to read your mind about what you want to achieve.
>
>> i created  a filter, with this content:
>> filter f_flash_msg { match ("[0-9a-zA-Z]+-[0-9a-zA-Z]-*"); };
>
> This filter doesn't do capturing. You should look after regexps,
> especially about how to use parentheses.
>
> For example "([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-" does capturing.
>
>> and destination
>> destination df_out {
>> file("/var/log/client/flashlog/$1/$2/$YEAR/$MONTH/
>> $DAY/$TIME.txt"); };
>
> As your regexp doesn't do clustering $1 $2 ... are uninitialised. And
> $YEAR $MONTH etc. contain the timestamp of the log - not the DATE-TIME
> part of the line you showed.
>
>> i need separate folders/files.
>>
>> the log line contains these datas:
>>
>> 1234-ABCD-2008-09-30-16-20-35-FatalError
>> AppID-Thread-Date-Time-MSG
>
> I recommend to experiment a little with regexps. For example use sed
> (although a lot of escaping is needed in sed for extended regexps).
> When the sed expression works as you want then it is easy to transform
> it into a regexp usable in syslog-ng.
>
> For example capturing the first 4 fields of you log you should use  
> this
> sed command (note the ^ anchor):
> sed 's/^\([0-9a-zA-Z]\+\)-\([0-9a-zA-Z]\+\)-\([0-9]\{4\}\)-\ 
> ([0-9]\{2\}\)-/\1 \2 \3 \4 /'
>
> The regexp usable in syslog-ng would be:
> "^([0-9a-zA-Z]+)-([0-9a-zA-Z]+)-([0-9]{4})-([0-9]{2})"
> and $1 $2 $3 $4 contain the data, so the destination filename would be
> "/var/log/syslog-ng/flashlogs/${1}/${2}/${3}/{4}"
>
>> i need this structure:
>>
>> /var/log/syslog-ng/flashlogs/1234/ABCD/2008/09/30/16.txt
>>
>> what is my mistake?
>
> See above.
>
> hth,
>
> Sandor
> --------------------------------------------------------
>
> NOTICE: If received in error, please destroy and notify sender.  
> Sender does not intend to waive confidentiality or privilege. Use of  
> this email is prohibited when received in error.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list