[syslog-ng] variable host filter in events
Syslogng
syslogng at master666.com
Wed Mar 25 14:25:12 UTC 2020
Hi,
Thanks for you information, i manage to do this with:
filter f_host {
match(
'original_source=[^\.]*'
flags(store-matches)
value('MSGONLY')
type("pcre")
);
};
destination d_host {
file("/data/$1/messages.log")
};
If it can help someone else.
Maybe a last question could be if it is not better to use glob in this case to reduce cpu usage ?
But i didn't manage to do it with different try like :
filter f_host {
match(
"original_source=*.example.com"
flags(store-matches)
value('MSGONLY')
type("glob")
);
};
---- On Tue, 24 Mar 2020 07:18:37 +0100 Balazs Scheidler <mailto:bazsi77 at gmail.com> wrote ----
Hi,
You can extract values from $MSG by using regexps (by using a regexp based filter with the flags(store-matches) option), or by using csv-parser() with a custom separator (this should be faster) or even db-parser. In any case, once you extracted the server name just make sure to store it in $HOST and then you can use $HOST in your destination filename.
On Mon, Mar 23, 2020 at 7:16 PM Syslogng <mailto:syslogng at master666.com> wrote:
--
Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi,
We receive aggregated syslog from a server (all logs are send from 1 IP). Also all the events are mixed.
The name of the host sending the initial traffic is in each event.
ex:
2020/03/23 [notice] [user] New original_source=http://SERV1.example.com Task=0 ....
How to recover SER1 which is always preceded by "original_source=" and followed by "http://example.com" to save it in a file for example /data/serv1.log
I don't want a static filter (I know how to do it) but a dynamic one. If a new event arrives at original_source=http://SERV2.example.com
I would like it to automatically create a /data/serv2.log
Could you help me please ?
thank you in advance
Pit
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200325/0b15f35f/attachment.html>
More information about the syslog-ng
mailing list