Re: Filtering Syslog-NG

Wed, 05 Sep 2007 10:27:35 -0700 

Allan Wind wrote:

On 2007-09-05T11:06:56-0400, Nathan wrote:
destination d_ALL { file("/var/log/$R_YEAR/$R_MONTH/$HOST/$R_YEAR-$R_MONTH-$R_DAY"); }; 



I need to filter out the logs from one host and have it go to a 
different destination.


I setup the following destination:


destination d_CUDA { 
file("/var/log/CUDA/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY"); };



and I setup the following filter:

filter f_cuda      { host(x.x.x.x); };



x.x.x.x should be a regular expression (for example: host("fubar")) and 
you want that to match whatever syslog-ng logs for the host.


You may be interested in the use_dns(yes|no) option, as well as

the template $HOST value (you may still want to use $HOST and use a 
symblic link so you have data available under either IP or hostname 
directory).  The other option is to use netmask() in your filter instead 
of host().



It sounds like you have another log statement, and that it does not 
exclude the data from your cuda host.  Another way may be the 
flags(final).
 

However it isn't working.  The new directory isn't being created and the 
logs are still going to the old destination.  I think the problem is 
with my filter.  Does using a 'host' filter block messages or allow them?



Neither.  It selects messages from the log stream, and the log statement 
tells syslog what to do with them.  If there are no messages that match 
the template is probably not invoked to create the directories.



What do I need to do filter out the logs from that host from going to 
the "d_ALL" destination and force it to go to "d_CUDA" instead?  Thanks.


not host($host)


where $host is the name syslog logs for the host.  You can probably also 
use the flags(final) on the log statement for cuda, and you may then 
want to list that log before the log statement that catches the rest.



Make sure you restart (not just reload) syslog-ng after your changes.  
Otherwise you may not know of syntax errors that cause the old config 
to be still used.  And another tip is to test your rules using logger.



/Allan





It works perfectly!  Thanks!

Nathan


--

To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
















    











					Reply via email to