[syslog-ng] syslog-ng help: how can I use function in double quotes?

Gergely Nagy algernon at balabit.hu
Tue Jul 5 17:52:43 CEST 2011


"Henry Xu" <xkb.surfing at gmail.com> writes:

> Since there's no available macro that represent the IP of syslog-ng
> server(only have macros indicate where the message sent to syslog-ng
> server,like $HOST). So I want to use ip() function and record it to
> database.

There is no ip() function in syslog-ng. The various ip() stuff you can
see in configs, are settings for the various sources and destinations.

The main issue with what you want to do, is figuring out what the
servers IP is, as there can be many. I assume you want the IP the
message arrived to - am I correct?

In that case, the best option off the top of my head, is to tag messages
coming to the different IP addresses, and use the $TAG macro in the
destination:

source s_net_1234 {
 tcp(ip(1.2.3.4) ...);
 tag("1.2.3.4");
};

source s_net_192 {
 tcp(ip(192.168.0.1) ...);
 tag("192.168.0.1");
};

destination d_sql {
 sql(...
  values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}",
         "${TAGS}", "${HOST}", ...);
 );
};

Care should be taken that $TAGS will expand to all tags, so only one tag
should be on any message.

There might be better ways to achieve the same thing, though, but this
is the first that I could think of.

-- 
|8]



More information about the syslog-ng mailing list