syslog-ng documentation

Your main source of knowledge

The syslog-ng product family has an extensive documentation, covering everything from how to install a product to the most complex configuration and settings descriptions. If you cannot find an answer to your question, try the mailing list - our community is always eager to help.

syslog-ng Premium Edition

Contents

15.2.1. Referring to parts of the message as a macro The syslog-ng Premium Edition 7 Administrator Guide

You can refer to the separated parts of the message using the key of the value as a macro. For example, if the message contains KEY1=value1,KEY2=value2, you can refer to the values as ${KEY1} and ${KEY2}.

For example if the default prefix (.geoip2) is used, you can determine the country code using ${.geoip2.country.iso_code}.

To look up all keys:

  1. Install the mmdb-bin package.

    After installing this package, you will be able to use the mmdblookup command.

    Note

    The name of the package depends on the Linux distribution. The package mentioned in this example is on Ubuntu.

  2. Create a dump using the following command: mmdblookup --file GeoLite2-City.mmdb --ip <your-IP-address>

    The resulting dump file will contain the keys that you can use.

For a more complete list of keys, you can also check the GeoIP2 City and Country CSV Databases. However, note that the syslog-ng PE application works with the mmdb (GeoIP2) format of these databases. Other formats, like csv are not supported.