Hi Balázs, Thank you. The '$SOURCEIP' what i need, combined with 'flags(no-parse)'. With this i can separate the messages by the source address contained in the ip packet header. config example: source s_net_0 { network( ip(0.0.0.0) port(600) transport(udp) flags(no-parse) ); }; destination d_file_0 { file("/var/log/remote_log/$R_MONTH/$R_DAY/$SOURCEIP/100/$user.log" owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); }; log { source(s_net_0); destination(d_file_0); }; -- Üdvözlettel: Hollósi Botond Opennetworks Kft. Tel.: 06-1-9996000 Mobil: 06-20-4362032 2016-07-31 12:00 keltezéssel, syslog-ng-request@lists.balabit.hu írta:
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: Central netlog server for hosts behind NAT (Scheidler)
----------------------------------------------------------------------
Message: 1 Date: Sat, 30 Jul 2016 20:02:00 +0200 From: Scheidler, Bal?zs <balazs.scheidler@balabit.com> Subject: Re: [syslog-ng] Central netlog server for hosts behind NAT To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Message-ID: <CANWQT2OUDC7T-8FBrg2g3zdk9nPsBAOZj8Wq-vWmzUeywxOQ1Q@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
I am not sure I understand your usecase, and question. $HOST is populated based on the host field within the message and senders are free to set that to whatever they please.
If that field is missing (which it might), syslog-ng fills that based on the sender IP address.
There are alternative macros (such as $SOURCEIP), which is the actual IP of the datagram received by syslog-ng. But you can also play with $HOST related syslog-ng options such as keep-hostname().
Could you try to rephrase your question? Thanks Bazsi