For example if in my log line appears something like that [xxx], I must put this message in a file with a name starting as xxx.log And if the message changes and appears [xxy] I must create a new log file named as xxy.log How can I do that in a syslog-ng config file?
Asked
Active
Viewed 2,177 times
3 Answers
0
to filter for specific messages, you can use filter expressions in syslog-ng: You can use regular expressions in the filter as well. To use the results of the match in the filename, try using a named pattern in the filter expression:
filter f_myfilter {message("(?<name>pattern)");};
Then you can use the named match in the destination template:
destination d_file {
file ("/var/log/${name}.log");
};
Let me know if it works, I haven't had the time to test it.
Robert Fekete
- 557
- 3
- 5
-
Is something wrong with the pattern, y replace my previus config using this line message("(?[*name*]pattern)"); but I get an error parsing filter expression. – Rys Dec 06 '17 at 13:16
-
It's possible that named patterns are supported only in rewrite rules, I'll try to check this sometime – Robert Fekete Dec 11 '17 at 11:17
0
I find this way to resolve mi problem.
parser p_apache {
csv-parser(columns("MY.ALGO", "MY.MOSTRAR", "MY.OTRA")
delimiters("|")
);
};
destination d_file {
file("/var/log/syslog-ng/$YEAR-$MONTH/$DAY/messages-${MY.ALGO:-nouser}.log");
};
Rys
- 4,934
- 8
- 21
- 37
0
Regex is the answer here.
Eg: I have a file name access2018-10-21.log for source so my access log source file entry becomes
file("/opt/liferay-portal-6.2-ee-sp13/tomcat-7.0.62/logs/access[0-9][0-9][0-9][0-9]\-[0-9][0-9]\-[0-9][0-9].log" follow_freq(1) flags(no-parse));
Sumeet
- 391
- 3
- 4