[syslog-ng] can syslog-ng extract part of the hostname and make directory on the fly?

syslogng at feystorm.net syslogng at feystorm.net
Fri Jul 22 21:24:14 CEST 2011 

You could do a regex on this.

filter f_group {
     host('^(?<GROUP>group.)' type('pcre') flags('store-matches'));
};
destination d_group {
     file("/log/$GROUP/$HOST");
};
log { source(s_local); filter(f_group); destination(d_group); };


Sent: Fri Jul 22 2011 11:55:38 GMT-0600 (MST)
From: Jakub Jankowski <shasta at toxcorp.com>
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] can syslog-ng extract part of the hostname and 
make directory on the fly?
> On Fri, 22 Jul 2011 09:28:35 -0500, fedora fedora wrote:
>
>> I have few hundreds of hosts, and say
>>
>> hosta has dns name groupa-hosta
>> hostb has dns name groupbhostb
>> hostc has dns name groupc.hostc
>>
>> ..etc..etc (note the first 6 characters defines the group)
>>
>> When a log comes in, can syslog-ng extracts the first 6 character from dns
>> name, and drop the log file to the corresponding group? (So log from hostb
>> will go under /log/groupb/groupahostb )
>>
>> I cannot predefine the groups though, since i don't know how many groups
>> will be there, the only thing i know is the first 6 character of the
>> hostname will be the group name
> If there was a distinct separator between the group name and the rest, this
> would be trivial, see similar example in 3.2 OSE administrator guide:
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#example_parser
>
> Without such separator, I think you'd have to use something I asked for: a
> substring function. This isn't included in 3.2 yet, but you can backport it
> quite easily (I'm using it without problems). See those threads:
> https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016329.html
> https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016359.html
> https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016502.html
>
>
> HTH
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110722/5a31495c/attachment.htm

More information about the syslog-ng mailing list