Hi, thanks for your help. I got something working that fits my needs and I'd like to add this here in case someone searches the list for something similar.
.conf file: $template debugFile,"/tmp/%msg:R,ERE,1,DFLT:\[\[(.*)\]\]--end%_DEBUG.log" local0.* ?debugFile $template infoFile,"/tmp/%msg:R,ERE,1,DFLT:\[\[(.*)\]\]--end%_INFO.log" local0.info ?infoFile $template warningFile,"/tmp/%msg:R,ERE,1,DFLT:\[\[(.*)\]\]--end%_WARNING.log" local0.warning ?warningFile $template errorFile,"/tmp/%msg:R,ERE,1,DFLT:\[\[(.*)\]\]--end%_ERROR.log" local0.error ?errorFile So with a call to logger -p local0.warning \[\[loc_asdf\]\] I WARN YOU! the message ends up in /tmp/loc_asdf_WARNING.log and /tmp/loc_asdf_ERROR.log http://www.rsyslog.com/regex/ was really helpful to get the rsyslog specific filter expression right. Cheers Oliver On 3 April 2014 16:23, Oliver Bestwalter <[email protected]> wrote: > Hi, > > thanks for your help. I will look into these resources. > > Cheers > Oliver > > > On 2 April 2014 18:25, David Lang <[email protected]> wrote: > >> On Wed, 2 Apr 2014, Oliver Bestwalter wrote: >> >> Hi Rainer, >>> >>> On 2 April 2014 11:50, Rainer Gerhards <[email protected]> wrote: >>> >>> can you provide a sample of a message that you generate and tell us >>>> where >>>> the to-be-filtered field is? >>>> >>>> >>>> Not really - my question is this abstract because I simply don't know >>> how >>> this would be possible in rsyslog and if it is possible at all ... As I >>> don't know how this should be done I try not to assume anything and only >>> try to tell you what I need. It does not even have to be a specific field >>> (my understanding of those are a bit fuzzy still anyway) but it could >>> filter for a message part in brackets or some similar marker. >>> >> >> As an abstract answer, Yes, rsyslog can filter on anything you can >> define, and can write to dynamically named files, you just need to define >> where you want it to write. >> >> For filtering >> http://www.rsyslog.com/doc/rsyslog_conf_filter.html >> >> for crafting the filename to write to you need to define a template for >> the filename >> http://www.rsyslog.com/doc/rsyslog_conf_templates.html >> >> there are predefined variables >> http://www.rsyslog.com/doc/property_replacer.html >> >> in v6+ you can define your own variables. >> >> in v8.2 (and possibly in v7.6), you can assign the result of a template >> operation to a variable. >> >> exactly how you would do this depends on the format of your logs and what >> it takes to parse them. >> >> David Lang >> >> Example log messages with a brackets marker: >>> >>> <group_a> Message that will end up only in "group_a.log" >>> <group_a> Another Message for "group_a.log" >>> <group_b> Some interesting message for "group_b.log" >>> <group_c> Message for "group_c.log" >>> >>> These messages based on the matched name will then end up in the >>> corresponding log file. For the above example, the logfiles with their >>> contents would be: >>> >>> /var/log/group_logs/group_a.log >>> <group_a> Message that will end up only in "group_a.log" >>> <group_a> Another Message for "group_a.log" >>> >>> /var/log/group_logs/group_b.log >>> <group_b> Some interesting message for "group_b.log" >>> >>> /var/log/group_logs/group_c.log >>> <group_c> Message for "group_c.log" >>> >>> So it would work like a regex that saves the matched name in a group and >>> uses it as the name of the file. >>> >>> [If possible it would be nice to massage the contents to leave out the >>> <...> parts, but I guess that's a different question]. >>> >>> Sorry if that was a bit verbose ... hope that clarifies it. >>> >>> Cheers >>> Oliver >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
