[rsyslog] Use part of incoming syslog message in an output file name?

Ben Bradley bbradleyuk at gmail.com
Mon Jan 28 12:30:23 CET 2013


On Mon, 28 Jan 2013 10:44:31 +0000
Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:

> http://www.rsyslog.com/doc/property_replacer.html
> 

That's excellent.
I've got my regular expression and tested it using the regex tester...
$template tpl, "%msg:R,ERE,1,BLANK:([a-z0-9\-\.]+) [0-9]+$--end%\n"


How do I modify this bit of config to use it?

$template ApacheAccessLogFile, "/var/log/httpd/%procid%_access.log"
$template ApacheAccessLogFormat, "%msg:2:$:drop-last-lf%\r\n"

if $app-name == 'apache-access' and $syslogfacility-text == 'local0' and $syslogseverity-text == 'info' then -?ApacheAccessLogFile;ApacheAccessLogFormat

In my ApacheAccessLogFile template I'd like to use the sub-match returned by the regex in place of the %procid% variable in the output file path.

How do I do that?
This would be a great example and would really help me figure out how to build more complex configurations.

Cheers, B



More information about the rsyslog mailing list