[syslog-ng] $FULLHOST doesn't work

Mon Oct 16 15:18:04 UTC 2017

Your syslog message is

<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message

which is not a correctly formatted syslog message because the the leading "1 ". Syslog-ng will try to parse this as a data (which should be the first thing after the <##>) and since it is not a data, the entire line will be placed into the MSG macro and all of the other header fields will be populate the best they can.

The date/time will be the date/time of the syslong-ng receiving host.
The FULLHOST will be populated with the information from the network packet. This includes the IP address of the sender.
the PROGRAM will be empty.

If you look at the messages logged in '/tmp/10.3.25.4.log' you should be able to confirm this (or prove I'm out to lunch).

Evan

On 10/16/2017 02:23 AM, Thomas Haupt wrote:
> Hi,
> I'm trying to use the hostname from inside the syslog message as filename but it doesn't work for me:
> https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#macro-fullhost
>
> my config:
> @version: 3.9
>
> options { keep_hostname(yes); use-dns(no); };
> source      s_system { udp(ip("0.0.0.0") port(514));                };
> destination d_all    { file("/tmp/${FULLHOST}.log"); };
> log                  { source(s_system); destination(d_all); };
>
>
> The result is my ip address instead of "my-hostname", but I expect "my-hostname":
> syslog-ng -Fevd
> ....
> [2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 - Test syslog message'
> [2017-10-16T10:32:15.188327] Initializing destination file writer; template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log'
>
> Some more information:
>
> syslog-ng --version
> syslog-ng 3.9.1
> Installer-Version: 3.9.1
> Revision:
> Module-Directory: /usr/lib64/syslog-ng
> Module-Path: /usr/lib64/syslog-ng
> Available-Modules: add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogformat,system-source,tfgetent
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: off
>
>
> The system is a SLES11SP4
>
>
> Regards,
> Thomas 