[syslog-ng] Setting log destination using the MAC address

[Sandor Geller]

Hi,

On 02/15/2015 07:55 PM, Tech Support wrote:
> All;
>
>      I am using syslog-ng to log both the local server and remote
> clients. Right now I log the clients like so and it works the way it should:
>
> destination d_remotehosts {
>
>      file( "/var/log/HOSTS/$YEAR/$MONTH/$DAY/$HOST/$FACILITY.log" perm(
> 0644 ) create_dirs( yes ) dir_perm( 0755 ) );
>
> };
>
> However, it is not as helpful when multiple remote clients get
> recognized as $HOST = 192.168.x.x. Since most remote clients are IP
> phones, logging using the MAC address instead of the IP address would be
> much more valuable, but I don’t see in the manual where that’s possible.
> Is it possible to log using the MAC address? Any insight at all would be
> greatly appreciated.

One can only use the available data. The MAC address isn't available to 
syslog-ng as it isn't part of the message payload. Even if the MAC 
address seen by the networking stack would be available it would be more 
or less useless as the local router's MAC would be there instead of the 
MACs of the logging clients unless you've got a very simple network 
having a single subnet.

It could be possible to write a program which looks up the IP<->MAC 
association of a given date based on external data like DHCP lease 
database so if you've got such data available then the logs could get 
postprocessed - or even better if the program is fast and could run on 
the same machine syslog-ng is running on then it could get used as a 
program() destination.

hth,

Sandor