The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

5.6.5. Macros available in the syslog-ng Agent

The following tables list the available macros:

[Warning] Warning

These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (e.g., eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent. See Section 3.8, “Parsing messages” for details.

[Note] Note

Note that if you use the Syslog protocol template (meaning that messages are sent using the IETF-syslog protocol), only the message part of the log message can be customized, the structure of the headers and other information is fixed by the protocol.

By default, syslog-ng Agent uses the following format: <${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MESSAGE}, where $MESSAGE is ${EVENT_USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID}) for eventlog messages, and $FILE_NAME: $FILE_CURRENT_POSITION/$FILE_SIZE: $FILE_MESSAGE for file messages.

Macro Description
HOST Name of the host sending the message. Hostnames are automatically converted to lowercase.
MESSAGE The content of the message, including the text of the message and any file- or event-specific macros that are set for the source.
MSG An alias for the MESSAGE macro.
PRI Priority header of the message, storing the facility and the level of the message.

Table 5.1. Protocol-related macros of the syslog-ng agent


Macro Description
BSDDATE, R_BSDDATE, S_BSDDATE Date of the message in BSD timestamp format (month/day/hour/minute/second, each expressed in two digits). This is the original syslog time stamp without year information, e.g., Jun 13 15:58:00. If possible, it is recommended to use ISODATE for timestamping.
DATE An alias of the ISODATE macro.
DAY, R_DAY, S_DAY The day the message was sent.
FULLDATE, R_FULLDATE, S_FULLDATE A nonstandard format for the date of the message using the same format as DATE, but including the year as well, e.g.: 2006 Jun 13 15:58:00.
HOUR, R_HOUR, S_HOUR The hour of day the message was sent.
ISODATE, R_ISODATE, S_ISODATE Date of the message in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+-ZONE), e.g.: 2006-06-13T15:58:00.123+01:00. If possible, it is recommended to use ISODATE for timestamping. Note that the syslog-ng agent cannot produce fractions of a second (e.g., milliseconds) in the timestamp.
MIN, R_MIN, S_MIN The minute the message was sent.
MONTH, R_MONTH, S_MONTH The month the message was sent as a decimal value, prefixed with a zero if smaller than 10.
MONTHNAME, R_MONTHNAME, S_MONTHNAME The English name of the month the message was sent, abbreviated to three characters (e.g., Jan, Feb, etc.).
R_DATE Date when the message was recorded into the eventlog container.
S_DATE Date when the message was created.
SEC, R_SEC, S_SEC The second the message was sent.
TZ, R_TZ, S_TZ The name of the time zone of the host.
TZOFFSET, R_TZOFFSET, S_TZOFFSET The time-zone as hour offset from GMT; e.g.: -07:00. In syslog-ng 1.6.x this used to be -0700 but as ISODATE requires the colon it was added to TZOFFSET as well.
UNIXTIME, R_UNIXTIME, S_UNIXTIME Standard unix timestamp, represented as the number of seconds since 1970-01-01T00:00:00.
YEAR, R_YEAR, S_YEAR The year the message was sent.
WEEK, R_WEEK, S_WEEK The week number of the year, prefixed with a zero for the first nine week of the year. (The first Monday in the year marks the first week.)
WEEKDAY, R_WEEKDAY, S_WEEKDAY The 3-letter name of the day of week the message was sent, e.g. Thu.

Table 5.2. Time-related macros of the syslog-ng agent


Macro Description
EVENT_CATEGORY The category of the event.
EVENT_FACILITY The facility that sent the message.
EVENT_ID The identification number of the event.
EVENT_LEVEL Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
EVENT_MESSAGE The content of the message.
EVENT_MESSAGE_XML Contains the entire message in XML format. Available only on Windows Vista and Server 2008 platforms
EVENT_MSG The content of the message. This is an alias of the EVENT_MESSAGE.
EVENT_NAME Name of the Windows event log container (e.g., Application or Security).
EVENT_REC_NUM The record number of the event in the event log.
EVENT_SID The security identification number of the event.
EVENT_SID_TYPE The security identification number resolved into name. One of the following: User, Group, Domain, Alias WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer.
EVENT_SOURCE The application that created the message.
EVENT_TASK The task category of the event. Available only on Windows Vista and Server 2008 platforms
EVENT_TYPE The importance level of the message in text format.
EVENT_USERNAME The user running the application that created the message.

Table 5.3. Eventlog-related macros of the syslog-ng agent


Macro Description
FILE_CURRENT_POSITION The position of the message from the beginning of the file in bytes.
FILE_FACILITY The facility that sent the message.
FILE_LEVEL Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
FILE_MESSAGE The content of the message.
FILE_MSG The content of the message. This is an alias of the FILE_MESSAGE macro.
FILE_NAME Name of the log file (including its path) from where the syslog-ng Agent received the message.
FILE_SIZE The current size of the file in bytes.

Table 5.4. File-related macros of the syslog-ng agent


Prev  Up  Next
5.6.4. Customizing the timestamp used by the syslog-ng Agent  Home | Contents  5.7. Using an XML-based configuration file

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com