Hi, I'm trying to use the hostname from inside the syslog message as filename but it doesn't work for me: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... my config: @version: 3.9 options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514)); }; destination d_all { file("/tmp/${FULLHOST}.log"); }; log { source(s_system); destination(d_all); }; The result is my ip address instead of "my-hostname", but I expect "my-hostname": syslog-ng -Fevd .... [2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message' [2017-10-16T10:32:15.188327] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log' Some more information: syslog-ng --version syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Available-Modules: add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogformat,system-source,tfgetent Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off The system is a SLES11SP4 Regards, Thomas
Your syslog message is <14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message which is not a correctly formatted syslog message because the the leading "1 ". Syslog-ng will try to parse this as a data (which should be the first thing after the <##>) and since it is not a data, the entire line will be placed into the MSG macro and all of the other header fields will be populate the best they can. The date/time will be the date/time of the syslong-ng receiving host. The FULLHOST will be populated with the information from the network packet. This includes the IP address of the sender. the PROGRAM will be empty. If you look at the messages logged in '/tmp/10.3.25.4.log' you should be able to confirm this (or prove I'm out to lunch). Evan On 10/16/2017 02:23 AM, Thomas Haupt wrote:
Hi, I'm trying to use the hostname from inside the syslog message as filename but it doesn't work for me: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o...
my config: @version: 3.9
options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514)); }; destination d_all { file("/tmp/${FULLHOST}.log"); }; log { source(s_system); destination(d_all); };
The result is my ip address instead of "my-hostname", but I expect "my-hostname": syslog-ng -Fevd .... [2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message' [2017-10-16T10:32:15.188327] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log'
Some more information:
syslog-ng --version syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Available-Modules: add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogformat,system-source,tfgetent Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
The system is a SLES11SP4
Regards, Thomas
That's possibly an rfc5424 message, which you can parse using either udp(flags(syslog-protocol)) or syslog(transport(udp)) as source. On Oct 16, 2017 17:18, "Evan Rempel" <erempel@uvic.ca> wrote:
Your syslog message is
<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message
which is not a correctly formatted syslog message because the the leading "1 ". Syslog-ng will try to parse this as a data (which should be the first thing after the <##>) and since it is not a data, the entire line will be placed into the MSG macro and all of the other header fields will be populate the best they can.
The date/time will be the date/time of the syslong-ng receiving host. The FULLHOST will be populated with the information from the network packet. This includes the IP address of the sender. the PROGRAM will be empty.
If you look at the messages logged in '/tmp/10.3.25.4.log' you should be able to confirm this (or prove I'm out to lunch).
Evan
On 10/16/2017 02:23 AM, Thomas Haupt wrote:
Hi, I'm trying to use the hostname from inside the syslog message as filename but it doesn't work for me: https://www.balabit.com/documents/syslog-ng-ose-latest- guides/en/syslog-ng-ose-guide-admin/html/reference-macros. html#macro-fullhost
my config: @version: 3.9
options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514)); }; destination d_all { file("/tmp/${FULLHOST}.log"); }; log { source(s_system); destination(d_all); };
The result is my ip address instead of "my-hostname", but I expect "my-hostname": syslog-ng -Fevd .... [2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message' [2017-10-16T10:32:15.188327] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log'
Some more information:
syslog-ng --version syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Available-Modules: add-contextual-data,afamqp,aff ile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen, cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite, json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogf ormat,system-source,tfgetent Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
The system is a SLES11SP4
Regards, Thomas
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Great :-) thanks @all @version: 3.9 options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514) flags(syslog-protocol)); }; destination d_all { file("/tmp/${FULLHOST}.log"); }; log { source(s_system); destination(d_all); }; [2017-10-16T18:10:17.734169] Incoming log entry; line='<14>1 2017-10-16T18:10:17.717023+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message' [2017-10-16T18:10:17.734371] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/my-hostname.log' Best regards, Thomas Am 16.10.2017 um 17:45 schrieb Scheidler, Balázs:
That's possibly an rfc5424 message, which you can parse using either udp(flags(syslog-protocol)) or syslog(transport(udp)) as source.
On Oct 16, 2017 17:18, "Evan Rempel" <erempel@uvic.ca <mailto:erempel@uvic.ca>> wrote:
Your syslog message is
<14>1 2017-10-16T10:32:15.151157 <tel:15.151157>+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message
which is not a correctly formatted syslog message because the the leading "1 ". Syslog-ng will try to parse this as a data (which should be the first thing after the <##>) and since it is not a data, the entire line will be placed into the MSG macro and all of the other header fields will be populate the best they can.
The date/time will be the date/time of the syslong-ng receiving host. The FULLHOST will be populated with the information from the network packet. This includes the IP address of the sender. the PROGRAM will be empty.
If you look at the messages logged in '/tmp/10.3.25.4.log' you should be able to confirm this (or prove I'm out to lunch).
Evan
On 10/16/2017 02:23 AM, Thomas Haupt wrote:
Hi, I'm trying to use the hostname from inside the syslog message as filename but it doesn't work for me: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#macro-fullhost>
my config: @version: 3.9
options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514)); }; destination d_all { file("/tmp/${FULLHOST}.log"); }; log { source(s_system); destination(d_all); };
The result is my ip address instead of "my-hostname", but I expect "my-hostname": syslog-ng -Fevd .... [2017-10-16T10:32:15.188058 <tel:15.188058>] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157 <tel:15.151157>+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message' [2017-10-16T10:32:15.188327 <tel:15.188327>] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log'
Some more information:
syslog-ng --version syslog-ng 3.9.1 Installer-Version: 3.9.1 Revision: Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Available-Modules: add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogformat,system-source,tfgetent Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: off
The system is a SLES11SP4
Regards, Thomas
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Thomas Haupt" <t.haupt@ff-muenchen.de> írta 2017-10-16 11:23-kor:
options { keep_hostname(yes); use-dns(no); }; source s_system { udp(ip("0.0.0.0") port(514)); }; This setting indicates traditional rfc 3164 syslog format.
[2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message'
This debug message indicates the rfc 5424 syslog format. Have you tried to align the format and your config? Cheers, Gyu
participants (4)
-
Evan Rempel
-
PÁSZTOR György
-
Scheidler, Balázs
-
Thomas Haupt