Choosing the ideal configuration for your environment may not always be a straightforward decision. Depending on your use case, it is worth considering which outcome is more desirable (with the following points representing the two opposite ends of the spectrum):
If your application sends its logs through a blocking I/O socket and you prefer not to slow down or stop the application when log messages are arriving in volumes greater than syslog-ng PE is able to process, then consider turning flow control off on the client side. This way, you will not be using the whole application-client-server chain at full capacity, and yet still be able to spot the loss of application log messages at the beginning of the chain already, in the internal logs of the client.
This chapter explains the methods that you can use to customize, reformat, and modify log messages using syslog-ng Premium Edition.
Customizing message format using macros and templates explains how to use templates and macros to change the format of log messages, or the names of logfiles and database tables.
Modifying messages using rewrite rules describes how to use rewrite rules to search and replace certain parts of the message content.
Regular expressions lists the different types of regular expressions that can be used in various syslog-ng PE objects like filters and rewrite rules.
The following sections describe how to customize the names of logfiles, and also how to use templates, macros, and template functions.
Formatting messages, filenames, directories, and tablenames explains how macros work.
Modifying messages using rewrite rules describes how to use macros and templates to format log messages or change the names of logfiles and database tables.
Macros of syslog-ng PE lists the different types of macros available in syslog-ng PE.
Using template functions explains what template functions are and how to use them.
Template functions of syslog-ng PE lists the template functions available in syslog-ng PE.
The syslog-ng PE application can dynamically create filenames, directories, or names of database tables using macros that help you organize your log messages. Macros refer to a property or a part of the log message, for example, the ${HOST} macro refers to the name or IP address of the client that sent the log message, while ${DAY} is the day of the month when syslog-ng has received the message. Using these macros in the path of the destination log files allows you for example, to collect the logs of every host into separate files for every day.
A set of macros can be defined as a template object and used in multiple destinations.
Another use of macros and templates is to customize the format of the syslog message, for example, to add elements of the message header to the message text.
If a message uses the IETF-syslog format (RFC5424), only the text of the message can be customized (that is, the $MESSAGE part of the log), the structure of the header is fixed.
For details on using templates and macros, see Templates and macros.
For a list and description of the macros available in syslog-ng PE, see Macros of syslog-ng PE.
For details on using custom macros created with CSV parsers and pattern databases, see parser: Parse and segment structured messages and Using parser results in filters and templates, respectively.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
