[syslog-ng] variable host filter in events
Balazs Scheidler
bazsi77 at gmail.com
Wed Mar 25 19:23:44 UTC 2020
Globs can't extract matches into name-value pairs.
Btw, pcre can also extract into named matches, so you can directly extract
into $HOST.
On Wed, Mar 25, 2020, 15:25 Syslogng <syslogng at master666.com> wrote:
> Hi,
>
> Thanks for you information, i manage to do this with:
>
> filter f_host {
> match(
> 'original_source=[^\.]*'
> flags(store-matches)
> value('MSGONLY')
> type("pcre")
> );
> };
>
> destination d_host {
> file("/data/$1/messages.log")
> };
>
>
> If it can help someone else.
>
> Maybe a last question could be if it is not better to use glob in this
> case to reduce cpu usage ?
> But i didn't manage to do it with different try like :
> filter f_host {
> match(
> "original_source=*.example.com"
> flags(store-matches)
> value('MSGONLY')
> type("glob")
> );
> };
>
>
> ---- On Tue, 24 Mar 2020 07:18:37 +0100 *Balazs Scheidler
> <bazsi77 at gmail.com <bazsi77 at gmail.com>>* wrote ----
>
> Hi,
>
> You can extract values from $MSG by using regexps (by using a regexp based
> filter with the flags(store-matches) option), or by using csv-parser() with
> a custom separator (this should be faster) or even db-parser. In any case,
> once you extracted the server name just make sure to store it in $HOST and
> then you can use $HOST in your destination filename.
>
>
> On Mon, Mar 23, 2020 at 7:16 PM Syslogng <syslogng at master666.com> wrote:
>
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> Hi,
>
> We receive aggregated syslog from a server (all logs are send from 1 IP).
> Also all the events are mixed.
> The name of the host sending the initial traffic is in each event.
>
> ex:
> 2020/03/23 [notice] [user] New original_source=SERV1.example.com Task=0
> ....
>
> How to recover SER1 which is always preceded by "original_source=" and
> followed by "example.com" to save it in a file for example /data/serv1.log
> I don't want a static filter (I know how to do it) but a dynamic one. If a
> new event arrives at original_source=SERV2.example.com
> I would like it to automatically create a /data/serv2.log
>
> Could you help me please ?
>
> thank you in advance
>
> Pit
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200325/2179f6f8/attachment.html>
More information about the syslog-ng
mailing list