topic Re: Monitor twice the same directory in Getting Data In

Monitor twice the same directory

StefanW — Sun, 04 Apr 2021 11:08:44 GMT

Hello,

i have syslog-ng running and got all my syslog messages from my access points and cisco switches to the same directory. But the access points should go to another index as the switch logs.

so i created to monitor stanzas, but the second stanza doesnt work.

#log cisco switches [monitor:///var/syslog/logavaya/*/*.log] host_segment = 4 disabled = false index = cisco sourcetype = syslog blacklist = \d-\d\d\.kuechen\.de\.log$ #log avaya access points [monitor:///var/syslog/logavaya/*/./*.log] host_segment = 4 disabled = false index = avaya sourcetype = avaya:ap whitelist = \d-\d\d\.kuechen\.de\.log$

The question is, how can i input all files into two index with different sourcetypes?

Re: Monitor twice the same directory

scelikok — Sun, 04 Apr 2021 11:54:41 GMT

Hi @StefanW,

You should use different stanzas, please try below. If you can define regex for cisco switches, it is better.

#log cisco switches [monitor:///var/syslog/logavaya/*/*.log] host_segment = 4 disabled = false index = cisco sourcetype = syslog blacklist = \d-\d\d\.kuechen\.de\.log$ #log avaya access points [monitor:///var/syslog/logavaya/*/./\d-\d\d\.kuechen\.de\.log$] host_segment = 4 disabled = false index = avaya sourcetype = avaya:ap

Re: Monitor twice the same directory

StefanW — Sun, 04 Apr 2021 14:06:45 GMT

I tried this first, but as I know, regex is not possible in the path part of the monitor.

Re: Monitor twice the same directory

scelikok — Sun, 04 Apr 2021 14:41:36 GMT

Hi @StefanW,

Regex does work on monitor starting from the next segment after * or ... .

The reason of the problem is, the first stanza already covers *.log files, if you can write a regex to cisco stanza it will work. If you can tell us about the files names for cisco and avaya we can offer regex.

Re: Monitor twice the same directory

StefanW — Sun, 04 Apr 2021 14:49:37 GMT

The Avaya access point logs are really simple. Like 1-01.kuechen.de

the switches have hostnames which are complex and have no really a pattern, because of that I blacklisted the avaya log files.

Re: Monitor twice the same directory

scelikok — Sun, 04 Apr 2021 16:29:27 GMT

Maybe the best idea is filtering with syslog-ng based on message content and write to a different folder.

log { source(s1); filter { match("cisco" value("MESSAGE")) }; destination(d_cisco); };

Re: Monitor twice the same directory

StefanW — Mon, 05 Apr 2021 08:52:14 GMT

ok, i solved it with wildcards

[monitor:///var/syslog/logavaya/*/*-*.kuechen.de.log]