[syslog-ng] $FULLHOST doesn't work

Thomas Haupt t.haupt at ff-muenchen.de
Mon Oct 16 16:12:51 UTC 2017 

Great :-)
thanks @all

@version: 3.9

options { keep_hostname(yes); use-dns(no); };
source      s_system { udp(ip("0.0.0.0") port(514) 
flags(syslog-protocol));      };
destination d_all    { file("/tmp/${FULLHOST}.log");             };
log                  { source(s_system); destination(d_all); };



[2017-10-16T18:10:17.734169] Incoming log entry; line='<14>1 
2017-10-16T18:10:17.717023+02:00 my-hostname lampelogtest 54321 111111 - 
Test syslog message'
[2017-10-16T18:10:17.734371] Initializing destination file writer; 
template='/tmp/${FULLHOST}.log', filename='/tmp/my-hostname.log'


Best regards,
Thomas

Am 16.10.2017 um 17:45 schrieb Scheidler, Balázs:
> That's possibly an rfc5424 message, which you can parse using either 
> udp(flags(syslog-protocol)) or syslog(transport(udp)) as source.
> 
> 
> 
> On Oct 16, 2017 17:18, "Evan Rempel" <erempel at uvic.ca 
> <mailto:erempel at uvic.ca>> wrote:
> 
>     Your syslog message is
> 
>     <14>1 2017-10-16T10:32:15.151157 <tel:15.151157>+02:00 my-hostname
>     lampelogtest 54321 111111 - Test syslog message
> 
>     which is not a correctly formatted syslog message because the the
>     leading "1 ". Syslog-ng will try to parse this as a data (which
>     should be the first thing after the <##>) and since it is not a
>     data, the entire line will be placed into the MSG macro and all of
>     the other header fields will be populate the best they can.
> 
>     The date/time will be the date/time of the syslong-ng receiving host.
>     The FULLHOST will be populated with the information from the network
>     packet. This includes the IP address of the sender.
>     the PROGRAM will be empty.
> 
>     If you look at the messages logged in '/tmp/10.3.25.4.log' you
>     should be able to confirm this (or prove I'm out to lunch).
> 
>     Evan
> 
>     On 10/16/2017 02:23 AM, Thomas Haupt wrote:
> 
>         Hi,
>         I'm trying to use the hostname from inside the syslog message as
>         filename but it doesn't work for me:
>         https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#macro-fullhost
>         <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#macro-fullhost>
> 
>         my config:
>         @version: 3.9
> 
>         options { keep_hostname(yes); use-dns(no); };
>         source      s_system { udp(ip("0.0.0.0") port(514));           
>              };
>         destination d_all    { file("/tmp/${FULLHOST}.log"); };
>         log                  { source(s_system); destination(d_all); };
> 
> 
>         The result is my ip address instead of "my-hostname", but I
>         expect "my-hostname":
>         syslog-ng -Fevd
>         ....
>         [2017-10-16T10:32:15.188058 <tel:15.188058>] Incoming log entry;
>         line='<14>1 2017-10-16T10:32:15.151157 <tel:15.151157>+02:00
>         my-hostname lampelogtest 54321 111111 - Test syslog message'
>         [2017-10-16T10:32:15.188327 <tel:15.188327>] Initializing
>         destination file writer; template='/tmp/${FULLHOST}.log',
>         filename='/tmp/10.3.25.4.log'
> 
>         Some more information:
> 
>         syslog-ng --version
>         syslog-ng 3.9.1
>         Installer-Version: 3.9.1
>         Revision:
>         Module-Directory: /usr/lib64/syslog-ng
>         Module-Path: /usr/lib64/syslog-ng
>         Available-Modules:
>         add-contextual-data,afamqp,affile,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,syslogformat,system-source,tfgetent
>         Enable-Debug: off
>         Enable-GProf: off
>         Enable-Memtrace: off
>         Enable-IPv6: on
>         Enable-Spoof-Source: on
>         Enable-TCP-Wrapper: on
>         Enable-Linux-Caps: off
> 
> 
>         The system is a SLES11SP4
> 
> 
>         Regards,
>         Thomas
> 
> 
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
>     Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     <http://www.balabit.com/support/documentation/?product=syslog-ng>
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>     <http://www.balabit.com/wiki/syslog-ng-faq>
> 
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list