Informations, tips and technics.

How to log in syslog-ng when the message does not have the hostname field

Depending of you syslog-ng configuration, you may have configured your logging system to write a different at different place (folder created by year and month for ex) and for each different hosts that contact your syslog server.

I will not detail here all the configuration needed for that (or maybe later if you are nice) but I will explain a trick that can help you when the syslog-ng server does not want to create a file for a host and put its messages in the Fallback file. 

Usually, all is working fine with simple filters, like this one :

filter my_filter { host("myserver");};

Here, ‘myserver‘ is in fact the hostname in the message header (should be in third position after the date and the hour/timestamp). Some device may send their messages without the hostname field in the message resulting the log written in the fallback file.

In this case, you can use netmask intead of host, like this:

filter my_filter { netmask("<ip address of the server>/<netmask>");};

for ex : filter my_filter { netmask(““);};

Which should this time make your redirection to work well and the file created for this host correctly.

Note: using /32 does not work at all, use the entire netmask instead.


Filed under: Linux, , , , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: