Re: Filtering Syslog-NG
On 2007-09-05T11:06:56-0400, Nathan wrote:
> destination d_ALL {
> file("/var/log/$R_YEAR/$R_MONTH/$HOST/$R_YEAR-$R_MONTH-$R_DAY"); };
>
>
> I need to filter out the logs from one host and have it go to a
> different destination.
>
> I setup the following destination:
>
> destination d_CUDA {
> file("/var/log/CUDA/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY"); };
>
>
> and I setup the following filter:
>
> filter f_cuda { host(x.x.x.x); };
x.x.x.x should be a regular expression (for example: host("fubar")) and
you want that to match whatever syslog-ng logs for the host.
You may be interested in the use_dns(yes|no) option, as well as
the template $HOST value (you may still want to use $HOST and use a
symblic link so you have data available under either IP or hostname
directory). The other option is to use netmask() in your filter instead
of host().
It sounds like you have another log statement, and that it does not
exclude the data from your cuda host. Another way may be the
flags(final).
> However it isn't working. The new directory isn't being created and the
> logs are still going to the old destination. I think the problem is
> with my filter. Does using a 'host' filter block messages or allow them?
Neither. It selects messages from the log stream, and the log statement
tells syslog what to do with them. If there are no messages that match
the template is probably not invoked to create the directories.
> What do I need to do filter out the logs from that host from going to
> the "d_ALL" destination and force it to go to "d_CUDA" instead? Thanks.
not host($host)
where $host is the name syslog logs for the host. You can probably also
use the flags(final) on the log statement for cuda, and you may then
want to list that log before the log statement that catches the rest.
Make sure you restart (not just reload) syslog-ng after your changes.
Otherwise you may not know of syntax errors that cause the old config
to be still used. And another tip is to test your rules using logger.
/Allan
Reply to: