At present, the syslog-ng (syslog-ng Open Source Edition) does not support to set the hostname of the server in the configuration. syslog-ng uses DNS system to resolve the system name or if it is explicitly switch off (with couple of options) it will use the IP. Sometimes the DNS name of the system may be not valid, for example in containers, or just for better naming purposes it is useful to have just a simple option to set the system’s hostname in the syslog packets.
The easiest and best way to change the system’s hostname in the packets is to use substitution rules with rewrite. In fact, the rewrite rule may operate on soft parts of the macros like MESSAGE, PROGRAM, HOST or user defined macros. The syslog message format and its “fields” could be seen in the RFC5424. It’s worth adding it is possible to replace the whole macro or just part of it.
Here is the configuration to set the system’s hostname:
#substitution rule
rewrite my_host { set("my-server-name", value("HOST")); };
#use the rule before the destination!!!
log { source(src); rewrite(my_host); destination(messages);};
The substitution rule should be used before the destination rule to take effect.
Here is a more complex example to set the system’s hostname only to certain packets:
@version: 3.6
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/3.6/syslog-ng.conf.gentoo,v 1.1 2014/11/09 08:10:43 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# https://bugs.gentoo.org/show_bug.cgi?id=426814
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats_freq(43200);
# The default action of syslog-ng is to log a MARK line
# to the file every 20 minutes. That's seems high for most
# people so turn it down to once an hour. Set it to zero
# if you don't want the functionality at all.
mark_freq(3600);
long_hostnames(on);
use_dns(no);
use_fqdn(no);
};
#listen on UDP local 514 port
source udp_local {
network(ip(127.0.0.1) port(514) transport("udp") so_rcvbuf(67108864) log_fetch_limit(1000) max-connections(1000) log-iw-size(1000000));
};
#replace hostname
rewrite my_host { set("my-server-name", value("HOST")); };
#NGINX - web logs
filter filter_nginx_access_log { program(nginx); };
destination d_tcp_syslog {
syslog("10.10.10.10"
port(10514)
transport("tcp")
disk-buffer(mem-buf-length(10000)
mem-buf-size(128M) disk-buf-size(1024M)
reliable(yes) dir("/var/lib/syslog-ng")
)
);
};
log { source(udp_local); filter(filter_nginx_access_log); destination(d_tcp_syslog); };
source src { system(); internal();};
destination messages { file("/var/log/messages"); };
log { source(src);
if (program("nginx*"))
{
rewrite(my_host);
destination(d_tcp_syslog);
}
else
{
destination(messages);
};
};
The system’s hostname is set with a new one my-server-name only to the packets sent to the remote destination.
Replace a string in a macro
Use the subst to replace a sub-string with a new one:
rewrite rule_subst{
subst("domain.com", "localhost", value("HOST"));
};
Check out the manual for details – https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65
More articles with syslog-ng – https://ahelpme.com/tag/syslog-ng/.