This is due to log sources (programs generating the events) using the text "fields" in their messages for different things (which syslog-ng can only interpret as the host. Try $HOST_FROM instead (this results in the name or address of the system from which your syslog-ng box received the messages. NOTE: this will not preserve the original source (so if you forward through one log server, the second would see the HOST_FROM as the first, not the actual source) Jim -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of [????]??? Sent: Tuesday, December 01, 2009 2:51 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] hi all.Why $HOST variable valued "250" ,"250-localhost^M" ? Hi.all I configured syslog-ng (3)(CentOS 5) to collect logs sent by 1xx syslog servers.(freebsd6).I got two strange dirs: "250" and "250-localhost^M" my syslog-ng.conf : ============================================== source s_udp { udp(ip(172.16.18.10) port(514) ); }; destination d_udp_data{ file ("/data3/syslogng/logcollect/$YEAR-$MONTH-$DAY/$HOST/$FACILITY/$PROGRAM.log" create_dirs(yes) template("\n$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $SOURCEIP $PROGRAM $MSG") ); }; ================================================= my syslog.conf !webface.login *.info /var/log/mail/webface/webface-login.log *.* @172.16.18.10 ======================================= root@localhost 2009-12-01]# pwd /data3/syslogng/logcollect/2009-12-01 [root@localhost 2009-12-01]# ls ............... 10.55.2.35 10.55.2.46 10.55.2.57 10.55.2.68 10.55.2.79 10.55.2.90 250 250-localhost^M [root@localhost 2009-12-01]# ls -R 250 250: user 250/user: 2.1.0.log [root@localhost 2009-12-01]# more 250/user/2.1.0.log 2009-12-01 13:46:12 10.55.2.11 2.1.0 Ok^M 2009-12-01 13:46:27 10.55.2.11 2.1.0 Ok^M ........ [root@localhost 2009-12-01]# ls -R 250-localhost^M/ 250-localhost^M/: user 250-localhost^M/user: 250-SIZE^M.log [root@localhost 2009-12-01]# more 250-localhost^M/user/250-SIZE^M.log 2009-12-01 14:07:44 10.55.2.128 250-SIZE^M 250-8BITMIME^M 250 ENHANCEDSTATUSCODES^M -- 祝: 身体安康,万事如意! ________________________________________________________________ Mr. Hunter - 韩友洪 焱龙企鹅 youhong@staff.sina.com.cn 新浪 - 产品事业部 -邮箱 MSN:hf_linux@msn.com 电话:5392 手机:15001328768 地址:北京市海淀区北四环西路58号理想国际大厦18层 ________________________________________________________________ http://www.sina.com.cn You're the One 新浪.北京 一切由你开始 ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html