5. Collecting logs from Windows hosts
5.6. Customizing the message format
5.6.2. Macros available in the syslog-ng Agent
Warning
These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (e.g., eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent. See Section 3.8, “Parsing messages” (p. 62) for details.
Note
Note that if you use the Syslog protocol template (meaning that messages are sent using the IETF-syslog protocol), only the message part of the log message can be customized, the structure of the headers and other information is fixed by the protocol.
■ Macros related to protocol headers
■ Macros related to the date and time of the message
■ Macros related to eventlog sources
■ Macros related to file sources
By default, syslog-ng Agent uses the following format: <${PRI}>${BSDDATE} ${HOST}
${APP_NAME}[${PROCESS_ID}]: ${MESSAGE}, where $MESSAGE is ${EVENT_USERNAME}:
${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID
${EVENT_ID})for eventlog messages, and $FILE_NAME: $FILE_CURRENT_POSITION/$FILE_SIZE:
$FILE_MESSAGEfor file messages.
Macros available in the syslog-ng Agent
Description Macro
Name of the host sending the message. Hostnames are automatically converted to lowercase.
HOST
The content of the message, including the text of the message and any file- or event-specific macros that are set for the source.
MESSAGE
An alias for the MESSAGE macro.
MSG
Priority header of the message, storing the facility and the level of the message.
PRI
Table 5.1. Protocol-related macros of the syslog-ng agent
Macros available in the syslog-ng Agent
Description Macro
Date of the message in BSD timestamp for mat
(month/day/hour/minute/second, each expressed in two digits). This is the original syslog time stamp without year information, e.g., Jun 13 15:58:00. If possible, it is recommended to use ISODATE for timestamping.
BSDDATE, R_BSDDATE,
S_BSDDATE
An alias of the ISODATE macro.
DATE
The day the message was sent.
DAY, R_DAY, S_DAY
A nonstandard format for the date of the message using the same format as DATE, but including the year as well, e.g.: 2006 Jun 13 15:58:00.
FULLDATE, R_FULLDATE,
S_FULLDATE
The hour of day the message was sent.
HOUR, R_HOUR, S_HOUR
Date of the message in the ISO 8601 compatible standard timestamp
format (yyyy-mm-ddThh:mm:ss+-ZONE), e.g.:
2006-06-13T15:58:00.123+01:00. If possible, it is recommen-ded to use ISODATE for timestamping. Note that the syslog-ng agent cannot produce fractions of a second (e.g., milliseconds) in the timestamp.
ISODATE, R_ISODATE, S_ISODATE
The minute the message was sent.
MIN, R_MIN, S_MIN
The month the message was sent as a decimal value, prefixed with a zero if smaller than 10.
MONTH, R_MONTH, S_MONTH
The English name of the month the message was sent, abbreviated to three characters (e.g., Jan, Feb, etc.).
MONTHNAME, R_MONTHNAME, S_MONTHNAME
Date when the message was recorded into the eventlog container.
R_DATE
Date when the message was created.
S_DATE
The second the message was sent.
SEC, R_SEC, S_SEC
The name of the time zone of the host.
TZ, R_TZ, S_TZ
The time-zone as hour offset from GMT; e.g.: -07:00. In syslog-ng 1.6.x this used to be -0700 but as ISODATE requires the colon it was added to TZOFFSET as well.
TZOFFSET, R_TZOFFSET,
S_TZOFFSET
Standard unix timestamp, represented as the number of seconds since 1970-01-01T00:00:00.
UNIXTIME, R_UNIXTIME,
S_UNIXTIME
The year the message was sent.
YEAR, R_YEAR, S_YEAR
The week number of the year, prefixed with a zero for the first nine week of the year. (The first Monday in the year marks the first week.)
WEEK, R_WEEK, S_WEEK
The 3-letter name of the day of week the message was sent, e.g. Thu.
WEEKDAY, R_WEEKDAY,
S_WEEKDAY
Table 5.2. Time-related macros of the syslog-ng agent
Macros available in the syslog-ng Agent
Description Macro
The category of the event.
EVENT_CATEGORY
The facility that sent the message.
EVENT_FACILITY
The identification number of the event.
EVENT_ID
Importance level of the message represented as a number: 6 - Success, 5 - Informa-tional, 4- Warning, or 3 - Error).
EVENT_LEVEL
The content of the message.
EVENT_MESSAGE
Contains the entire message in XML format. Available only on Windows Vista and Server 2008 platforms
EVENT_MESSAGE_XML
The content of the message. This is an alias of the EVENT_MESSAGE.
EVENT_MSG
Name of the Windows event log container (e.g., Application or Security).
EVENT_NAME
The record number of the event in the event log.
EVENT_REC_NUM
The security identification number of the event.
EVENT_SID
The security identification number resolved into name. One of the following: User, Group, Domain, Alias WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer.
EVENT_SID_TYPE
The application that created the message.
EVENT_SOURCE
The task category of the event. Available only on Windows Vista and Server 2008 platforms
EVENT_TASK
The importance level of the message in text format.
EVENT_TYPE
The user running the application that created the message.
EVENT_USERNAME
Table 5.3. Eventlog-related macros of the syslog-ng agent Description
Macro
The position of the message from the beginning of the file in bytes.
FILE_CURRENT_POSITION
The facility that sent the message.
FILE_FACILITY
Importance level of the message represented as a number: 6 - Success, 5 - Inform-ational, 4- Warning, or 3 - Error).
FILE_LEVEL
The content of the message.
FILE_MESSAGE
The content of the message. This is an alias of the FILE_MESSAGE macro.
FILE_MSG
Name of the log file (including its path) from where the syslog-ng Agent received the message.
FILE_NAME
The current size of the file in bytes.
FILE_SIZE
Table 5.4. File-related macros of the syslog-ng agent