1

I have severals servers logging to the central syslog server, which collect the logs using syslog-ng.

I send logs with a tag using the logger command :

$ logger -n 01.02.03.04 "Hello from $HOST at $(date)" -t MY_SPECIFIC_TAG -p local2.error

Using syslog-ng, the message is then written as following :

Mar 5 23:36:04 05.06.07.08 MY_SPECIFIC_TAG: Hello from vps1234567 at Tue Mar 5 23:36:04 CET 2019

My aim is to make all applications (java, apache, mysql,...) send their logs using a tag that identify the app generating the message, so I can write the logs on my syslog-server in a file matching the name of the app.

Is it possible to extract the string MY_SPECIFIC_TAG from the message, and use it as a variable in the path of file ?

This extraction needs to be perform in the syslog-ng configuration file, so I can write the destinations as following: 

destination dst_custom{ 
    file("${MY_SPECIFIC_TAG}-${FACILITY}-${LEVEL}-${YEAR}-${MONTH}-${DAY}.log");
};
Jean
  • 123
  • 8

2 Answers2

1

Ok, I solved it :

The syslog-ng macro ${PROGRAM} extract this information.

Jean
  • 123
  • 8
0

BLUF: Yes, it is.
Q: If you know the tag already, why do you need to extract it?
Posit 1: I know MY_SPECIFIC_TAG and want to extract it from the messages file:
grep MY_SPECIFC_TAG /var/log/messages | sed -n "1s/^[A-Z][a-z][a-z] [0-9:.]* (.): ./\1/p"
That ought to get you MY_SPECIFIC_TAG (or at least pretty close). YMMV
Posit 2: I know MY_SPECIFIC_TAG but I do not know the path in front of it (i.e. /path/to/program/MY_SPECIFIC_TAG)
grep MY_SPECIFC_TAG /var/log/messages | sed -n "1s+^[A-Z][a-z][a-z] [0-9:.]* (/[a-zA-Z0-9/]/.): .*+\1+p"

Is that what you are looking for?
To set that as a variable, place the entire command inside $() and use that as the right side of the assignment.
my_path_var=$( {command from above} )

UPDATE: If you don't know what MY_SPECIFIC_TAG is, and you want to find them:
cat /var/log/messages | sed -n "s/^[A-Z][a-z][a-z] [0-9:.]* (.): ./\1/p" | sort -u
This will not print any lines without a tag.

Now, before you go all "UUOC!" on me, I've done it this way to show the comparison of this command to the old command. That way, the OP (and other future readers) can easily tailor these commands to their system.
Note: UUOC = Unnecessary Use Of Cat. The file name can be placed after the p" and the cat command removed. However, for demonstrative purposes, cat is being used here.

Scottie H
  • 227
  • 2
  • 10
  • This extraction needs to be done inside the syslog-ng configuration file, hence I cannot use Grep. Well I think. I added details to the OP. – Jean Mar 06 '19 at 07:44
  • I'll update my answer to remove the grep, pull out all the tags and remove all the duplicates. – Scottie H Mar 07 '19 at 02:05