[syslog-ng] pattern matching on xxx#

Matthew Hall mhall at mhcomputing.net
Fri Oct 15 21:01:47 CEST 2010


On Fri, Oct 15, 2010 at 12:48:14PM -0600, Bill Anderson wrote:
> I have hostnames of the format xxxx# such as host1, hostb1, hostc1. I 
> need to split that into two fields such as (host,1).
> 
> Unfortunately, since @@ escapes the @ and STRING and it's followers 
> ALSO match digits, I've not found the obvious means to get that out. 
> Conceptually something like @LETTER:host.name@@NUMBER:host.id@ woudl 
> do it, save that LETTER doesn't exist and @@ escapes.

I think you can get around @@ escapes by adding extra @'s. ;-) Too bad 
LETTER doesn't exist yet. Man I wish it did for some of the @#$%^&* @#$% 
I have to parse.

> The end goal is as follows (pseudo-code):
> I need to have a destination for each (HOST). For example all files 
> from hosta## go to /var/log/hosta/ and entries for hostb## go to 
> /var/log/hostb/

Goal makes sense for a big server farm. Crazy idea. Depending how your 
IP subnets are set up... could you break the host IPs into pieces using 
'.' and direct the logs where they need to go using the IP?

> I suppose I *might* be able to do a rewrite to add say, a hyphen, and 
> then use csv-parser, but we're talking some heavy traffic and I 
> suspect that doing rewrites on that much traffic would be a 
> performance killer.

Can you try the rewrite on a second syslog-ng receiving a relayed copy 
of the traffic using AF_UNIX SOCK_DGRAM also known as unix-dgram driver? 
That way if it has disastrous side effects you could find out without 
causing outages in your primary syslog-ng. I often use this sort of 
approach for testing crazy ideas.

> I'm open to suggestions (that don't involve changing server names, 
> preferably ;) ) as to how to accomplish this.

Let's keep working on it until we come up with a good idea. There has to 
be some way to make it happen.

> Cheers,
> Bill

Regards,
Matthew Hall.


More information about the syslog-ng mailing list