Hi, On 02/15/2015 07:55 PM, Tech Support wrote:

All;

I am using syslog-ng to log both the local server and remote clients. Right now I log the clients like so and it works the way it should:

destination d_remotehosts {

file( "/var/log/HOSTS/$YEAR/$MONTH/$DAY/$HOST/$FACILITY.log" perm( 0644 ) create_dirs( yes ) dir_perm( 0755 ) );

};

However, it is not as helpful when multiple remote clients get recognized as $HOST = 192.168.x.x. Since most remote clients are IP phones, logging using the MAC address instead of the IP address would be much more valuable, but I don’t see in the manual where that’s possible. Is it possible to log using the MAC address? Any insight at all would be greatly appreciated.

One can only use the available data. The MAC address isn't available to syslog-ng as it isn't part of the message payload. Even if the MAC address seen by the networking stack would be available it would be more or less useless as the local router's MAC would be there instead of the MACs of the logging clients unless you've got a very simple network having a single subnet. It could be possible to write a program which looks up the IP<->MAC association of a given date based on external data like DHCP lease database so if you've got such data available then the logs could get postprocessed - or even better if the program is fast and could run on the same machine syslog-ng is running on then it could get used as a program() destination. hth, Sandor