This is the eighth part of my syslog-ng tutorial. Last time, we learned about network logging. Today, we learn about syslog-ng macros and templates. At the end of the session, we will know how to do a simple log rotation using macros.
You can watch the video or read the text below.
YouTube link: https://youtu.be/Dfktsh7C5fU
Macros
Macros are variables defined by syslog-ng. When a syslog message arrives, syslog-ng parses it automatically according to the RFC3164 specification. Macros contain parsed message parts, like date or hostname. There are also many macros that are created by syslog-ng, like the time when a message was received (versus the time parsed from the message), or a macro converted from another macro, like month or day from the date parsed from the message.
Here are some example syslog-ng macros: $FACILITY, $PRIORITY, $DATE, $ISODATE, $YEAR, $MONTH, $WEEK, $DAY, $HOUR, $MINUTE and so on. You can find a lot longer list in the documentation.
In earlier parts of my syslog-ng tutorial, you might have heard me mentioning name-value pairs. How are they different from macros? Name-value pairs are variables defined by any syslog-ng parser or rule, like the CSV parser or a rewrite rule. The difference is minimal, and the two words are often used interchangeably.
Templates
Templates can be used to create new message formats or file names. Templates use macros or name-value pairs combined with static texts. Here is a simple template, which replaces the DATE macro with the more exact ISODATE in messages written to a file. In this case, the template is declared separately, so it can be reused on multiple file destinations.
Later we will see that templates can be declared inside a file destination. In that case, the template applies only to that single destination.
Templates in file names
In file destinations you can use templates as file names. You can use macros both in the directory and file names. For example: in a central syslog-ng server you can sort incoming log messages based on the host name:
Note the create_dirs(yes) option where the host name is used as a directory name. Without enabling it, the logs are lost if directories are not created for them.
Log rotation
You can do a simple log rotation, which is also based on syslog-ng macros. You can use the various date-related macros in file names. In the example below a new file is started each day for each host:
You can create a simple cron job, which compresses and later deletes log files as required by various operational or compliance rules.
Source: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-8-macros-and-templates
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
