With
syslog-ng it can be done to create a file per detected entry in the logged messages. In
syslog-ng.conf you can define a custom parser:
Code:
parser foobar {
db_parser(file("/root/patterns/rules.xml")); };
options { create_dirs(yes); dir_perm(0755); };
destination baz { file("/var/log/collection/$FOO_ADDRESS.log"); };
log { source(src); parser(foobar); destination(baz); };
with an XML entry like:
Code:
<patterndb version='3' pub_date='2012-07-25'>
<ruleset name='get_adress' id='5010'>
<rules>
<rule id='5010001' class='system' provider='reuti'>
<patterns>
<pattern>from: @IPv4:FOO_ADDRESS@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
and use $FOO_ADDRESS for the file destination entry like outlined above.
Maybe this has an equivalent in
rsyslogd.
--
The above will scan all messages (it could be limited to
named though) for entries: “from: 12.34.56.78”