The syslog-ng Administrator Guide

Document version: 1.0.20
Release date: April 11, 2008
Latest version available at the BalaBit Documentation Page

5.4. Customizing the message format

The format of the messages received from the eventlog can be customized using macros. Besides the macros, you can use the following characters: <>,():;-+/_, and all alphanumeric characters.

The syslog-ng agent can send the syslog messages using either the ISO or the BSD timestamp format. It is recommended to use the ISO format, because it contains much more information than the BSD format.

The macros related to the date of the message (e.g.: ISODATE, HOUR, etc.) have two further versions each: one with the S_ and one with the R_ prefix (e.g.: S_DATE and R_DATE ). The S_DATE macro represents the date found in the log message, i.e. when the message was sent by the original application. R_DATE is the date when syslog has received the message.

Note that in the syslog-ng agent, the macros without prefix (e.g., DATE) always refer to the receiving date of the message (e.g., R_DATE) when it arrived into the event log container, and are included only for compatibility reasons.

[Warning] Warning

If a remote host is logging into the event log of the local host that is running syslog-ng Agent for Windows, both hosts should be in the same timezone, because the event log message does not include the timezone information of the sender host. Otherwise, the date of the messages received from the remote host will be incorrect.

The following table lists the available macros:

Macro Description
DAY, R_DAY, S_DAY The day the message was sent.
$EVENT_CATEGORY The category of the event.
$EVENT_ID The identification number of the event.
$EVENT_NAME Name of the Windows event log container (e.g., Application or Security).
$EVENT_SID The security identification number of the event.
$EVENT_SID_TYPE The security identification number resolved into name. One of the following: User, Group, Domain, Alias WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer.
$EVENT_SOURCE The application that created the message.
$EVENT_TYPE The importance level of the message in text format.
FACILITY The facility that sent the message.
FULLDATE, R_FULLDATE, S_FULLDATE A nonstandard format for the date of the message using the same format as DATE, but including the year as well, e.g.: 2006 Jun 13 15:58:00.
HOUR, R_HOUR, S_HOUR The hour of day the message was sent.
$HOST Name of the host sending the message.
ISODATE, R_ISODATE, S_ISODATE Date of the message in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+-ZONE), e.g.: 2006-06-13T15:58:00.123+01:00. If possible, it is recommended to use ISODATE for timestamping. Note that the syslog-ng agent cannot produce fractions of a second (e.g., milliseconds) in the timestamp.
$LEVEL Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
MIN, R_MIN, S_MIN The minute the message was sent.
MONTH, R_MONTH, S_MONTH The month the message was sent.
MONTHNAME, R_MONTHNAME, S_MONTHNAME The English name of the month the message was sent, abbreviated to three characters (e.g., Jan, Feb, etc.).
$MSG The content of the message.
$PRI Priority header of the message, storing the facility and the level of the message.
$R_DATE Date when the message was recorded into the eventlog container.
$REC_NUM The record number of the message in the event log.
$S_DATE Date when the message was created.
SEC, R_SEC, S_SEC The second the message was sent.
TZ, R_TZ, S_TZ The name of the time zone of the host.
TZOFFSET, R_TZOFFSET, S_TZOFFSET The time-zone as hour offset from GMT; e.g.: -07:00. In syslog-ng 1.6.x this used to be -0700 but as ISODATE requires the colon it was added to TZOFFSET as well.
UNIXTIME, R_UNIXTIME, S_UNIXTIME Standard unix timestamp, represented as the number of seconds since 1970-01-01T00:00:00.
$USERNAME The username running the application that created the message.
YEAR, R_YEAR, S_YEAR The year the message was sent.
WEEK, R_WEEK, S_WEEK The week number of the year. (The first Monday in the year marks the first week.)
WEEKDAY, R_WEEKDAY, S_WEEKDAY The 3-letter name of the day of week the message was sent, e.g. Thu.

Table 5.1. Macros of the syslog-ng agent


By default, syslog-ng Agent uses the following format: <${PRI}>$DATE $HOST: ${USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${MSG} (EventID ${EVENT_ID}) .

© 2007 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
5.3. Using SSL-encrypted connections with the syslog-ng agent  Home | Contents  5.5. Controlling the syslog-ng agent services