The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
 |
The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
|
Certain parts of syslog-ng (e.g., destination filenames and message content templates) can refer to one or more macros, which get expanded as a message is processed. The table below summarizes the macros available in syslog-ng.
![[Note]](./note.png) |
Note |
|---|---|
See Section 5.6, “Customizing the message format” for the macros available in the syslog-ng Agent for Windows application. |
Macros can be included by prefixing the macro name with a $
sign, just like in Bourne compatible shells. Regarding braces around macro names, the
following two formats are equivalent "$MSG" and
"${MSG}".
Default values for macros can also be specified by appending the
:- characters and the default value to the macro, e.g.,
${HOST:-default_hostname}
Macros can be used to format messages, and also in the name of destination files. However, they cannot be used in sources as wildcards, for example, to read messages from files or directories that include a date in their name.
| Name | Description |
|---|---|
| BSDTAG | Facility/priority information in the format used by the FreeBSD
syslogd: a priority number followed by a letter that indicates the
facility. The priority number can range from 0 to
7. The facility letter can range from
A to Y, where
A corresponds to facility number zero
(LOG_KERN), B corresponds to facility 1
(LOG_USER), etc. |
| DATE, R_DATE, S_DATE | Date of the message using the BSD-syslog style timestamp format
(month/day/hour/minute/second, each expressed in two digits). This is
the original syslog time stamp without year information, e.g.:
Jun 13 15:58:00. |
| DAY, R_DAY, S_DAY | The day the message was sent. |
| FACILITY | The name of the facility (for example, kern) that sent the message. |
| FACILITY_NUM | The numerical code of the facility (for example, 0) that sent the message. |
| FULLDATE, R_FULLDATE, S_FULLDATE | A nonstandard format for the date of the message using the same
format as DATE, but including the year as well,
e.g.: 2006 Jun 13 15:58:00. |
| FULLHOST | The full FQDN of the host name chain (without trimming chained
hosts), including the domain name. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| FULLHOST_FROM | FQDN of the host that sent the message to syslog-ng as resolved by
syslog-ng using DNS. If the message traverses several hosts, this is the
last host in the chain. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| HOUR, R_HOUR, S_HOUR | The hour of day the message was sent. |
| HOST | The name of the source host where the message originates from. If the
message traverses several hosts and the
chain_hostnames()
option is on, the first host in the chain is used. To use this
macro, make sure that the
keep_hostname()
option is enabled. |
| HOST_FROM | Name of the host that sent the message to syslog-ng, as resolved by
syslog-ng using DNS. If the message traverses several hosts, this is the
last host in the chain. To use this macro, make sure that the
keep_hostname()
option is enabled. |
| ISODATE, R_ISODATE, S_ISODATE | Date of the message in the ISO 8601 compatible standard timestamp
format (yyyy-mm-ddThh:mm:ss+-ZONE), e.g.:
2006-06-13T15:58:00.123+01:00. If possible,
it is recommended to use ISODATE for
timestamping. Note that syslog-ng can produce fractions of a second
(e.g., milliseconds) in the timestamp by using the
frac_digits() global or per-destination
option. |
| LEVEL_NUM | The priority (also called severity) of the message, represented as a numeric value, for example, error. |
| MIN, R_MIN, S_MIN | The minute the message was sent. |
| MONTH, R_MONTH, S_MONTH | The month the message was sent as a decimal value, prefixed with a zero if smaller than 10. |
| MONTH_ABBREV, R_MONTH_ABBREV, S_MONTH_ABBREV | The English abbreviation of the month name (3 letters). |
| MONTH_NAME, R_MONTH_NAME, S_MONTH_NAME | The English name of the month name. |
| MONTH_WEEK, R_MONTH_WEEK, S_MONTH_WEEK | The number of the week in the given month (0-5). The week with numerical value 1 is the first week containing a Monday. The days of month before the first Monday are considered week 0. For example, if a 31-day month begins on a Sunday, then the 1st of the month is week 0, and the end of the month (the 30th and 31st) is week 5. |
| MSG or MESSAGE | Text contents of the log message without the program name and pid.
Note that this has changed in syslog-ng version 3.0; in earlier versions
this macro included the program name and the pid. In syslog-ng 3.0, the
MSG macro became equivalent with the
MSGONLY macro. The program name and the pid
together are available in the MSGHDR
macro. |
| MSGHDR | The name and the pid of the program that sent the log message in
PROGRAM: PID format. Includes a trailing
whitespace. Note that the macro returns an empty value if both the
program and pid fields of the message are empty. |
| MSGONLY | Message contents without the program name or pid. |
| PID | The PID of the program sending the message. |
| PRI | The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages. |
| PRIORITY or LEVEL | The priority (also called severity) of the message, for example, error. |
| PROGRAM | The name of the program sending the message. Note that the content of the $PROGRAM variable may not be completely trusted as it is provided by the client program that constructed the message. |
| SDATA, .SDATA.SDID.SDNAME |
The syslog-ng application automatically parses the STRUCTURED-DATA
part of IETF-syslog messages, which can be referenced in macros.
The
For example, if a log message contains the following structured data:
|
| SEC, R_SEC, S_SEC | The second the message was sent. |
| SEQNUM | The sequence number of the message is a unique identifier of the
message between the end-points. The syslog-ng client calculates this
number when processing a new message from a local source; it is not
calculated for relayed messages. The sequence number increases for every
message, and is not lost even if syslog-ng is reloaded or restarted. The
sequence number is a part of every message that uses the new IETF-syslog
protocol (.SDATA.meta.sequenceId), and can be
added to BSD-syslog messages using this macro. |
| SOURCEIP | IP address of the host that sent the message to syslog-ng. (I.e. the
IP address of the host in the FULLHOST_FROM
macro.) Please note that when a message traverses several relays, this
macro contains the IP of the last relay. |
| STAMP, R_STAMP, S_STAMP | A timestamp formatted according to the
ts_format()
global or per-destination option. |
| TAG | The priority and facility encoded as a 2 digit hexadecimal number. |
| TZ, R_TZ, S_TZ | Equivalent to TZOFFSET, used to mean the time zone name abbreviation in syslog-ng 1.6.x. |
| TZOFFSET, R_TZOFFSET, S_TZOFFSET | The time-zone as hour offset from GMT; e.g.:
-07:00. In syslog-ng 1.6.x this used to be
-0700 but as ISODATE
requires the colon it was added to TZOFFSET as
well. |
| UNIXTIME, R_UNIXTIME, S_UNIXTIME | Standard unix timestamp, represented as the number of seconds since
1970-01-01T00:00:00. |
| YEAR, R_YEAR, S_YEAR | The year the message was sent. |
| WEEK, R_WEEK, S_WEEK | The week number of the year, prefixed with a zero for the first nine week of the year. (The first Monday in the year marks the first week.) |
| WEEK_ABBREV, R_WEEK_ABBREV, S_WEEK_ABBREV | The English abbreviation of the name of the day (3 letters). |
| WEEK_DAY, R_WEEK_DAY, S_WEEK_DAY | The day of the week as a numerical value (1-7). |
| WEEKDAY, R_WEEKDAY, S_WEEKDAY | The 3-letter name of the day of week the message was sent, e.g.
Thu. |
| WEEK_DAY_NAME, R_WEEK_DAY_NAME, S_WEEK_DAY_NAME | The English name of the day. |
Table 8.20. Available macros
© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com