[syslog-ng] is it exist some way to extract the filename listened by file() ?
Scheidler, Balázs
balazs.scheidler at balabit.com
Sat Apr 8 09:57:55 UTC 2017
I've checked the source and it is there.
--
Bazsi
On Sat, Apr 8, 2017 at 10:07 AM, Fekete, Róbert <robert.fekete at balabit.com>
wrote:
> Hi,
>
> AFAIK, the FILE_NAME macro is only available in syslog-ng Premium Edition
> 6.
> CzP published a workaround a while back, that I never got to add to the
> official docs: https://czanik.blogs.balabit.com/2015/03/using-rfc5424-
> syslog-to-forward-file-names/
>
> I'm not sure if it works in your case.
>
> Robert
>
>
>
> On Sat, Apr 8, 2017 at 8:10 AM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> Hi,
>>
>> It seems indeed ugly. We do have a FILE_NAME macro that gets set to the
>> name of the file the message was read from.
>>
>> With a quick search I didn't find it documented.
>>
>> On Apr 8, 2017 07:27, "Jorge Pereira" <jpereiran at gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> Well, I am working on a POC using the syslog-ng 3.7.1, basically, I have
>>> many of log files that the filename is /path/<file> and I need to append
>>> the file name into the syslog payload.
>>>
>>> My current approach is.
>>>
>>> 1. I have the below destination() receiving the file name as a
>>> parameter.
>>>
>>> <snip>
>>> block destination d_collector_with_fn(__filename("")) {
>>> tcp("192.168.2.44"
>>> port(514)
>>> keep-alive(on)
>>> template("$DATE $HOST $MSGHDR $(format-json --scope
>>> selected_macros \
>>> --exclude TAGS
>>> \
>>> --exclude DATE
>>> \
>>> --exclude PRIORITY
>>> \
>>> --exclude FACILITY
>>> \
>>> --exclude SOURCEIP
>>> \
>>> --exclude PROGRAM
>>> \
>>> --pair
>>> SYSLOG_WEBAPP_DOMAIN='`__filename`' \
>>> --pair
>>> SOURCE=${SOURCE}
>>> )\n")
>>> template-escape(no)
>>> );
>>> };
>>> </snip>
>>>
>>>
>>> 2. My simple script called by confgen create some dynamic "log {}"
>>> statements listening to the files and appending the filename as a parameter
>>> to the d_collector_with_fn()
>>>
>>> <snip>
>>> log {
>>> source {
>>> file("/path/thisisafile001.net"
>>> program_override("mytag")
>>> follow_freq(1)
>>> flags(no-parse)
>>> );
>>> };
>>> destination {
>>> d_collector_with_fn(__filename("thisisafile001.net"));
>>> };
>>> };
>>>
>>> log {
>>> source {
>>> file("caipirinha4ever.net"
>>> program_override("mytag")
>>> follow_freq(1)
>>> flags(no-parse)
>>> );
>>> };
>>> destination {
>>> d_collector_with_fn(__filename("caipirinha4ever.net"));
>>> };
>>> };
>>>
>>> .........................
>>> </snip>
>>>
>>> But, I have more than 5k files and my current approach creating
>>> multiples log { } statement resulting in one connection to the collector by
>>> each file!!! in this case, I have 5k connections... this is terrible,
>>> someone has some other suggestion? exist some way to catch the filename by
>>> some internal ${variable} and pass for a single destination()?
>>>
>>> --
>>> Jorge Pereira
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170408/dbd6ff62/attachment-0001.html>
More information about the syslog-ng
mailing list