[syslog-ng] Set log directory based on the source

Tue Feb 18 08:08:27 UTC 2020

Note: I might have mixed up naming, whoops. But I believe now you know what to do.
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Attila Szakacs (aszakacs) <Attila.Szakacs at oneidentity.com>
Sent: Tuesday, February 18, 2020 9:06 AM
To: Frank DiGennaro <frank at digennaro.com>; 'Syslog-ng users' and developers' mailing list' <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Set log directory based on the source

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi!

I would not mix up the two sources in this case. You can define multiple logpaths:

@define server-log "/tmp/var/log/cron.log"
@define client-log "/tmp/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST/cron.log"

source s_local {
...
};

source s_network {
...
};

destination d_cron_client {
  file("`server-log`" create-dirs(yes));
};

destination d_cron_server {
  file("`client-log`" create-dirs(yes));
};

log {
  source(s_local);
  destination(d_cron_client);
};

log {
  source(s_network);
  destination(d_cron_server);
};

Also the `create-dirs(yes)` option is necessary to allow syslog-ng to create the directories needed.

I hope this does what you expect, if not, feel free to ask more 🙂

Regards,
Attila

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Frank DiGennaro <frank at digennaro.com>
Sent: Monday, February 17, 2020 3:15 PM
To: 'Syslog-ng users' and developers' mailing list' <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Set log directory based on the source

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello;
    Thanks for the input but I am still missing something here. This is what I have implemented but still can't get it to work.
Thanks;
Frank

@define server-logdir "/var/log"
@define client-logdir "/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST"
@define logdir ""

rewrite r_logdir {
    set(
        "server-logdir"
        value( "logdir" )
        condition( source( "s_local" ) )
    );
    set(
        "client-logdir"
        value( "logdir" )
        condition( source( "s_network" ) )
    );
};

source s_local {
...
};

source s_network {
...
};

destination d_cron {
        file( "`logdir`/cron.log" );
};

log {
    source( s_local );
    source( s_network );
    rewrite(r_logdir);
    filter( f_cron );
    destination( d_cron );
};

-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Peter Kokai (pkokai)
Sent: Thursday, January 30, 2020 12:14 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Set log directory based on the source

Hello,

You could use macro in order to create different logpath with one file destination:

```
destination d_local0 {
  file( "${LOGDIR}/local/local0.log" );
};
```

This is going to create a path based on the current logmessage $LOGDIR variable/macro.

The question remains how to calculate $LOGDIR.
One option you could use:

```
source s_local0 {
        internal();
};

source s_network {
        network(port(1111));
};

destination d_local {
        file("${LOGDIR}/some/path.txt"); };

rewrite r_logdir {
  set("logdir-server" value("LOGDIR") condition( source("s_network") ) );
  set("logdir-client" value("LOGDIR") condition( source("s_local0") ) ); };

log {
        source(s_local0);
        source(s_network);

        rewrite(r_logdir);

        destination(d_local);
};
```

The rewrite possible can be replaced, but if you have low number of different path I guess it is enough. (Also you could write more complex condition for different logdir names.)

--
Kokan

On Thu, Jan 30, 2020 at 11:25:26AM -0500, Frank DiGennaro wrote:
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>
> Hello;
>     I'm somewhat of a newbie when it comes to syslog-ng so forgive me if the question is somewhat basic. I am running syslog-ng 3.25 on both server and clients and would like to set a variable based on the source. This is what I have:
>
> @define server-logdir "/var/log"
> @define client-logdir "/var/log/CLIENTS/$YEAR/$MONTH_ABBREV/$DAY/$HOST"
> @define logdir ""
>
> source s_local {
>     logdir `server-logdir`;  *No!
>     ...
>     ...
> };
> source s_network {
>     logdir `client-logdir`;  *No!
>     ...
>     ...
> };
> destination d_local0 {
>     file( "`logdir`/local/local0.log" ); };
>
> The goal is to set 'logdir' to either 'server-logdir' or
> 'client-logdir' and use it in the destination. I know there are probably several ways that this can be accomplished but I think this was will cut down on the number of lines in the configuration. So my question Is this. How do I set 'logdir' to either 'server-logdir' or 'client-logdir' in the source definition?
> Thanks;
>
> DiGennaro
> Frank DiGennaro
> 301-676-8193 (C)
> frank at digennaro.com<mailto:frank at digennaro.com>
>

> ______________________________________________________________________
> ________ Member info:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter
> .Kokai%40oneidentity.com%7C74d83ff1c9024e60428408d7a5a108c8%7C91c369b5
> 1c9e439c989c1867ec606603%7C0%7C0%7C637159983378113505&sdata=jRbzD6
> 8qb8i3PvTtOwXN4XMQRG%2Fx2DLR%2FiUg%2FTUigfQ%3D&reserved=0
> Documentation:
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b
> alabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data
> =02%7C01%7CPeter.Kokai%40oneidentity.com%7C74d83ff1c9024e60428408d7a5a
> 108c8%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637159983378113505&
> amp;sdata=GLC5NR2Fm4dmXz%2BtyRxRD4CnERaOKDBsQ11xSN0ykhs%3D&reserve
> d=0
> FAQ:
> https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.b
> alabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Kokai%40one
> identity.com%7C74d83ff1c9024e60428408d7a5a108c8%7C91c369b51c9e439c989c
> 1867ec606603%7C0%7C0%7C637159983378113505&sdata=xvZE3offYnT%2BLlR6
> 7tlWPYwB26L5Mulaj7YQMViKDdU%3D&reserved=0
>
______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=RuqJ7F0VKuuJ%2FhT8ufWaWipWFzU5DKLYLmxgumqefQ8%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804957506&sdata=BFj2A4txGZYuVT6Eq%2F9xD290QA%2FMxccox0SB%2BE%2F5cZc%3D&reserved=0>
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=bgP9jDwcFMkrKHUY5I3nROD%2B4sHG%2B2DupHhxbXFtZEM%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=yJsOP5Kua0NHxwyZqzFNKQddZ0jaV9xlMkmR1hFRZFk%3D&reserved=0>
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=zbsHBCoLmI2%2F85Sdvuw1HM5u3LTzULKUvd%2BpiWCCZFg%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=kY4J37l7%2FELmwY3KNpcMjATmIAv1xHXWFs76meS9j24%3D&reserved=0>

______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=RuqJ7F0VKuuJ%2FhT8ufWaWipWFzU5DKLYLmxgumqefQ8%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804967463&sdata=dGMOoXOyoE7uBGq%2BWDxOOriRoQqaSsIHboV07dnzjys%3D&reserved=0>
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=bgP9jDwcFMkrKHUY5I3nROD%2B4sHG%2B2DupHhxbXFtZEM%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804977419&sdata=CLk7qQOOqGoKJTNcIZXXLVQ75Ig9bw550UsXkv10kkU%3D&reserved=0>
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C86a7d431093d4c53886e08d7b3b3cbd2%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175457109309159&sdata=zbsHBCoLmI2%2F85Sdvuw1HM5u3LTzULKUvd%2BpiWCCZFg%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7Caadf325ed4b04a96f3a908d7b4496ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637176099804977419&sdata=T5YHRssJIhs1YesYjzVfNw1G9qPRs86L3crAdqK2Is0%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200218/7d70b5af/attachment-0001.html>