15.3.1. Referring to parts of the message as a macro

You can refer to the separated parts of the message using the key of the value as a macro. For example, if the message contains KEY1=value1,KEY2=value2, you can refer to the values as ${KEY1} and ${KEY2}.

For example if the default prefix (.geoip2) is used, you can determine the country code using ${.geoip2.country.iso_code}.

To look up all keys:

  1. Install the mmdb-bin package.

    After installing this package, you will be able to use the mmdblookup command.

    Note

    The name of the package depends on the Linux distribution. The package mentioned in this example is on Ubuntu.

  2. Create a dump using the following command: mmdblookup --file GeoLite2-City.mmdb --ip <your-IP-address>

    The resulting dump file will contain the keys that you can use.

For a more complete list of keys, you can also check the GeoIP2 City and Country CSV Databases. However, note that the syslog-ng OSE application works with the mmdb (GeoIP2) format of these databases. Other formats, like csv are not supported.