[syslog-ng] $FULLHOST doesn't work
Scheidler, Balázs
balazs.scheidler at balabit.com
Mon Oct 16 15:45:36 UTC 2017
That's possibly an rfc5424 message, which you can parse using either
udp(flags(syslog-protocol)) or syslog(transport(udp)) as source.
On Oct 16, 2017 17:18, "Evan Rempel" <erempel at uvic.ca> wrote:
> Your syslog message is
>
> <14>1 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321
> 111111 - Test syslog message
>
> which is not a correctly formatted syslog message because the the leading
> "1 ". Syslog-ng will try to parse this as a data (which should be the first
> thing after the <##>) and since it is not a data, the entire line will be
> placed into the MSG macro and all of the other header fields will be
> populate the best they can.
>
> The date/time will be the date/time of the syslong-ng receiving host.
> The FULLHOST will be populated with the information from the network
> packet. This includes the IP address of the sender.
> the PROGRAM will be empty.
>
> If you look at the messages logged in '/tmp/10.3.25.4.log' you should be
> able to confirm this (or prove I'm out to lunch).
>
> Evan
>
> On 10/16/2017 02:23 AM, Thomas Haupt wrote:
>
>> Hi,
>> I'm trying to use the hostname from inside the syslog message as filename
>> but it doesn't work for me:
>> https://www.balabit.com/documents/syslog-ng-ose-latest-
>> guides/en/syslog-ng-ose-guide-admin/html/reference-macros.
>> html#macro-fullhost
>>
>> my config:
>> @version: 3.9
>>
>> options { keep_hostname(yes); use-dns(no); };
>> source s_system { udp(ip("0.0.0.0") port(514)); };
>> destination d_all { file("/tmp/${FULLHOST}.log"); };
>> log { source(s_system); destination(d_all); };
>>
>>
>> The result is my ip address instead of "my-hostname", but I expect
>> "my-hostname":
>> syslog-ng -Fevd
>> ....
>> [2017-10-16T10:32:15.188058] Incoming log entry; line='<14>1
>> 2017-10-16T10:32:15.151157+02:00 my-hostname lampelogtest 54321 111111 -
>> Test syslog message'
>> [2017-10-16T10:32:15.188327] Initializing destination file writer;
>> template='/tmp/${FULLHOST}.log', filename='/tmp/10.3.25.4.log'
>>
>> Some more information:
>>
>> syslog-ng --version
>> syslog-ng 3.9.1
>> Installer-Version: 3.9.1
>> Revision:
>> Module-Directory: /usr/lib64/syslog-ng
>> Module-Path: /usr/lib64/syslog-ng
>> Available-Modules: add-contextual-data,afamqp,aff
>> ile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,
>> cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,
>> json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogf
>> ormat,system-source,tfgetent
>> Enable-Debug: off
>> Enable-GProf: off
>> Enable-Memtrace: off
>> Enable-IPv6: on
>> Enable-Spoof-Source: on
>> Enable-TCP-Wrapper: on
>> Enable-Linux-Caps: off
>>
>>
>> The system is a SLES11SP4
>>
>>
>> Regards,
>> Thomas
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171016/7a31bd0e/attachment.html>
More information about the syslog-ng
mailing list