/home

Icon

Informations, tips and technics.

How to log in syslog-ng when the message does not have the hostname field

Depending of you syslog-ng configuration, you may have configured your logging system to write a different at different place (folder created by year and month for ex) and for each different hosts that contact your syslog server.

I will not detail here all the configuration needed for that (or maybe later if you are nice) but I will explain a trick that can help you when the syslog-ng server does not want to create a file for a host and put its messages in the Fallback file. 

Usually, all is working fine with simple filters, like this one :

filter my_filter { host("myserver");};

Here, ‘myserver‘ is in fact the hostname in the message header (should be in third position after the date and the hour/timestamp). Some device may send their messages without the hostname field in the message resulting the log written in the fallback file.

In this case, you can use netmask intead of host, like this:

filter my_filter { netmask("<ip address of the server>/<netmask>");};

for ex : filter my_filter { netmask(“192.168.1.100/255.255.255.0“);};

Which should this time make your redirection to work well and the file created for this host correctly.

Note: using /32 does not work at all, use the entire netmask instead.

Filed under: Linux, , , , ,