The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

3.7. Templates and macros

The syslog-ng application allows you to define message templates, and reference them from every object that can use a template. Templates can be used to create standard message formats or filenames. Templates can reference one or more macros (e.g., date, the hostname, etc.). See Section 8.5, “Macros” for a list of macros available in the Linux/Unix versions of syslog-ng, and Section 5.6, “Customizing the message format” for the macros of the syslog-ng Agent for Windows application. Fields from the structured data (SD) part of messages using the new IETF-syslog standard can also be used as macros.

Template objects have a single option called template_escape, which is disabled by default (template_escape(no)). This behavior is useful when the messages are passed to an application that cannot handle escaped characters properly. Enabling template escaping (template_escape(yes)) causes syslog-ng to escape the ' and " characters from the messages.

[Note] Note

In versions 2.1 and earlier, the template_escape() option was enabled by default.

Macros can be included by prefixing the macro name with a $ sign, just like in Bourne compatible shells. Regarding braces around macro names, the following two formats are equivalent "$MSG" and "${MSG}".

Default values for macros can also be specified by appending the :- characters and the default value to the macro, e.g.,

${HOST:-default_hostname}
[Note] Note

See Section 5.6, “Customizing the message format” for the macros available in the syslog-ng Agent for Windows application.

The macros related to the date of the message (e.g.: ISODATE, HOUR, etc.) have two further versions each: one with the S_ and one with the R_ prefix (e.g.: S_DATE and R_DATE ). The S_DATE macro represents the date found in the log message, i.e. when the message was sent by the original application. R_DATE is the date when syslog has received the message.

DATE equals either S_DATE or R_DATE, depending on the global option set in the now deprecated use_time_recvd() parameter (see Section 8.9, “Global options”).

[Warning] Warning

The hostname-related macros (FULLHOST, FULLHOST_FROM, HOST, and HOST_FROM) do not have any effect if the keep_hostname() option is disabled.

By default, syslog-ng sends messages using the following template: $ISODATE $HOST $MSGHDR$MSG\n. (The $MSGHDR$MSG part is written together because the $MSGHDR macro includes a trailing whitespace.)

[Note] Note

Earlier versions of syslog-ng used templates and scripts to send log messages into SQL databases. Starting from version 2.1, syslog-ng natively supports direct database access using the sql() destination. See Section 8.2.5, “sql()” for details.

[Example] Example 3.35. Using templates

The following template (t_demo_filetemplate) adds the date of the message and the name of the host sending the message to the beginning of the message text. The template is then used in a file destination: messages sent to this destination (d_file) will use the message format defined in the template. 

template t_demo_filetemplate { 
             template("$ISODATE $HOST $MSG\n"); template_escape(no); };          
destination d_file { 
             file("/var/log/messages" template(t_demo_filetemplate)); };

Templates can also be used inline, if they are used only at a single location. The following destination is equivalent with the previous example: 

destination d_file {
                file ("/var/log/messages"
                        template("$ISODATE $HOST $MSG\n") template_escape(no) ); 
                };
Prev  Up  Next
3.6.1. Optimizing regular expressions in filters  Home | Contents  3.8. Parsing messages

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com