Hi,

syslog-ng 1.5.3 released which adds support for user definable log file formats. Here's how to use it:

destination my_file { file("/var/log/messages" template("$ISODATE $TAG $FULLHOST $MESSAGE")); };

Documentation is not updated, for a list of available macros check out affile.c, expand_macros() function. I'd appreciate some testing, because I won't have too much time to do it myself.

Here's a list of the macros and an example of their output, in the following format $MACRO_NAME description/type example $FACILITY syslog facility name daemon $PRIORITY the syslog priority name debug $LEVEL ; same output as $PRIORITY $TAG Hex representaiton of the 32-bit priority/facility pair (see /usr/include/sys/syslog.h) 1f (1f is the output for "daemon/debug" as above) $DATE The local system time Jan 19 23:27:21 $FULLDATE Same as $DATE but with %Y appended, 2001 Jan 19 23:27:21 $ISODATE ISO-standard format date (strftime format "%Y-%m-%dT%H:%M:%S%z") 2001-01-19T23:27:21+1000 $YEAR 4-digit year string 2001 $MONTH 2-digit month string 01 $DAY 2-digit day string 19 $HOUR 2-digit hour string 23 $MIN 2-digit minutes string 27 $SEC 2-digit seconds string 21 $HOST host string; not sure how to decode this function, in my example it's the same as fullhost (?) avrio $FULLHOST "full hostname" (msg->host->data) avrio $PROGRAM If syslog-ng has pulled a 'program name' out of the message, this will return that qpage $MSG || $MESSAGE The full syslog message qpage[9366]: processing the page queue Balazs forgot one thing - you'll also need to include a "\n" at the end of your template directive if you want to make your output readable :) e.g. destination my_file { file("/var/log/messages" template("$ISODATE $TAG $FULLHOST $MESSAGE\n")); }; Balazs, my test config was: destination d_format_test { file("/var/log/test" template("$FACILITY $PRIORITY $LEVEL $TAG $DATE $FULLDATE $ISODATE $YEAR $MONTH $DAY $HOUR $MIN $SEC $HOST $FULLHOST $PROGRAM $MSG\n")); }; log { source(s_sys); filter(DEFAULT); destination(d_format_test); }; the output used in the examples above is daemon debug debug 1f Jan 19 23:27:21 2001 Jan 19 23:27:21 2001-01-19T23:27:21+1000 2001 01 19 23 27 21 avrio avrio qpage qpage[9366]: processing the page queue seems to work okay with the \n. Thanks Balazs, now I can use the clock on my ciscos for the log messages, again! -afort