The syslog-ng 3.0 Administrator GuideDocument version: Third
|
 |
The syslog-ng 3.0 Administrator GuideDocument version: Third
|
|
Certain parts of syslog-ng (e.g., destination filenames and message content templates) can refer to one or more macros, which get expanded as a message is processed. The table below summarizes the macros available in syslog-ng.
![[Note]](./note.png) |
Note |
|---|---|
See Section 5.6, “Customizing the message format” for the macros available in the syslog-ng Agent for Windows application. |
Macros can be included by prefixing the macro name with a $
sign, just like in Bourne compatible shells. Regarding braces around macro names, the
following two formats are equivalent "$MSG" and
"${MSG}".
Default values for macros can also be specified by appending the
:- characters and the default value to the macro, e.g.,
${HOST:-default_hostname}
| Name | Description |
|---|---|
| BSDTAG | Facility/priority information in the format used by the FreeBSD
syslogd: a priority number followed by a letter that indicates the
facility. The priority number can range from 0 to
7. The facility letter can range from
A to Y, where
A corresponds to facility number zero
(LOG_KERN), B corresponds to facility 1
(LOG_USER), etc. |
| DATE, R_DATE, S_DATE | Date of the message using the BSD-syslog style timestamp format
(month/day/hour/minute/second, each expressed in two digits). This is
the original syslog time stamp without year information, e.g.:
Jun 13 15:58:00. |
| DAY, R_DAY, S_DAY | The day the message was sent. |
| FACILITY | The facility that sent the message. |
| FULLDATE, R_FULLDATE, S_FULLDATE | A nonstandard format for the date of the message using the same
format as DATE, but including the year as well,
e.g.: 2006 Jun 13 15:58:00. |
| FULLHOST | The full FQDN of the host name chain (without trimming chained
hosts), including the domain name. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| FULLHOST_FROM | FQDN of the host that sent the message to syslog-ng as resolved by
syslog-ng using DNS. If the message traverses several hosts, this is the
last host in the chain. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| HOUR, R_HOUR, S_HOUR | The hour of day the message was sent. |
| HOST | The name of the source host where the message originates from. If the
message traverses several hosts and the
chain_hostnames()
option is on, the first host in the chain is used. To use this
macro, make sure that the
keep_hostname()
option is enabled. |
| HOST_FROM | Name of the host that sent the message to syslog-ng, as resolved by
syslog-ng using DNS. If the message traverses several hosts, this is the
last host in the chain. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| ISODATE, R_ISODATE, S_ISODATE | Date of the message in the ISO 8601 compatible standard timestamp
format (yyyy-mm-ddThh:mm:ss+-ZONE), e.g.:
2006-06-13T15:58:00.123+01:00. If possible,
it is recommended to use ISODATE for
timestamping. Note that syslog-ng can produce fractions of a second
(e.g., milliseconds) in the timestamp by using the
frac_digits() global or per-destination
option. |
| MIN, R_MIN, S_MIN | The minute the message was sent. |
| MONTH, R_MONTH, S_MONTH | The month the message was sent. |
| MSG or MESSAGE | Text contents of the log message without the program name and pid.
Note that this has changed in syslog-ng version 3.0; in earlier versions
this macro included the program name and the pid. In syslog-ng 3.0, the
MSG macro became equivalent with the
MSGONLY macro. The program name and the pid
together are available in the MSGHDR
macro. |
| MSGHDR | The name and the pid of the program that sent the log message in
PROGRAM: PID format. Includes a trailing
whitespace. Note that the macro returns an empty value if both the
program and pid fields of the message are empty. |
| MSGONLY | Message contents without the program name or pid. |
| PID | The PID of the program sending the message. |
| PRI | The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages. |
| PRIORITY or LEVEL | The priority of the message. |
| PROGRAM | The name of the program sending the message. Note that the content of the $PROGRAM variable may not be completely trusted as it is provided by the client program that constructed the message. |
| SDATA.SDID.SDNAME | The syslog-ng application automatically parses the STRUCTURED-DATA
part of IETF-syslog messages, which can be referenced in macros. For
example, if a log message contains the following structured data:
[exampleSDID@0 iut="3" eventSource="Application"
eventID="1011"][examplePriority@0 class="high"] you can
use macros like: ${SDATA.EXAMPLE.EVENTSOURCE}.
|
| SEC, R_SEC, S_SEC | The second the message was sent. |
| SEQNUM | The sequence number of the message is a unique identifier of the
message between the end-points. The syslog-ng client calculates this
number when processing a new message from a local source; it is not
calculated for relayed messages. The sequence number increases for every
message, and is not lost even if syslog-ng is reloaded or restarted. The
sequence number is a part of every message that uses the new IETF-syslog
protocol (.SDATA.meta.sequenceId), and can be
added to BSD-syslog messages using this macro. |
| SOURCEIP | IP address of the host that sent the message to syslog-ng. (I.e. the
IP address of the host in the FULLHOST_FROM
macro.) Please note that when a message traverses several relays, this
macro contains the IP of the last relay. |
| STAMP, R_STAMP, S_STAMP | A timestamp formatted according to the
ts_format()
global or per-destination option. |
| TAG | The priority and facility encoded as a 2 digit hexadecimal number. |
| TZ, R_TZ, S_TZ | Equivalent to TZOFFSET, used to mean the time zone name abbreviation in syslog-ng 1.6.x. |
| TZOFFSET, R_TZOFFSET, S_TZOFFSET | The time-zone as hour offset from GMT; e.g.:
-07:00. In syslog-ng 1.6.x this used to be
-0700 but as ISODATE
requires the colon it was added to TZOFFSET as
well. |
| UNIXTIME, R_UNIXTIME, S_UNIXTIME | Standard unix timestamp, represented as the number of seconds since
1970-01-01T00:00:00. |
| YEAR, R_YEAR, S_YEAR | The year the message was sent. |
| WEEK, R_WEEK, S_WEEK | The week number of the year. (The first Monday in the year marks the first week.) |
| WEEKDAY, R_WEEKDAY, S_WEEKDAY | The 3-letter name of the day of week the message was sent, e.g.
Thu. |
Table 8.19. Available macros
© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com