I am trying to strip out parts of a hostname for logs that come in from my
firewalls. So with each firewall that I have, I effectively have a pair, and
"a" and a "b" firewall. For this example, I will call them firewalla and
firewallb. Is there a way to strip the 'a' or 'b' off the filename that it's
being written to dynamically?
I have done this as an example, and it works as I expect it to:
$template
DYNfirewalllog,"/path/to/logs/firewall/%$YEAR%%$MONTH%%$DAY%-iptables.log"
if \
$source == 'firewalla' \
or \
$source == 'firewallb' \
and \
$msg contains 'IN=' \
then ?DYNfirewalllog
I have tried doing things similar to this, that effectively don't match at
all, the regex works fine on the online checker, but I get a directory
created called "**NO MATCH**" when I try to use this in practice.
$template
DYNfirewall,"/path/to/logs/%hostname:R,ERE,0,DFLT:.\\s[a-z].*[fw|ids]0[0-9]--end%/%$YEAR%%$MONTH%%$DAY%-iptables.log"
if \
$msg contains 'IN=' \
then ?DYNfirewall
If I only had a few firewalls, then this wouldn't be a big deal, I could
simply add a new entry for each firewall pair. However, I currently am
managing 180 firewalls... or 90 pairs, and we are still growing, so I'm
looking for something a bit more dynamic if you will when it comes to
managing it.
Any ideas would be greatly appreciated!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
