The following options can be specified in the options statement, as described in Global options of syslog-ng OSE.

bad-hostname()

Accepted values: regular expression
Default: no

Description: A regexp containing hostnames which should not be handled as hostnames.

chain-hostnames()

Accepted values: yes | no
Default: no

Description: Enable or disable the chained hostname format. If a client sends the log message directly to the syslog-ng OSE server, the chain-hostnames() option is enabled on the server, and the client sends a hostname in the message that is different from its DNS hostname (as resolved from DNS by the syslog-ng OSE server), then the server can append the resolved hostname to the hostname in the message (separated with a / character) when the message is written to the destination.

For example, consider a client-server scenario with the following hostnames: client-hostname-from-the-message, client-hostname-resolved-on-the-server, server-hostname. The hostname of the log message written to the destination depends on the keep-hostname() and the chain-hostnames() options. How keep-hostname() and chain-hostnames() options are related is described in the following table.

keep-hostname() setting on the server
yes no
chain-hostnames() setting on the server yes client-hostname-from-the-message client-hostname-from-the-message/client-hostname-resolved-on-the-server
no client-hostname-from-the-message client-hostname-resolved-on-the-server

If the log message is forwarded to the syslog-ng OSE server via a syslog-ng OSE relay, the hostname depends on the settings of the keep-hostname() and the chain-hostnames() options both on the syslog-ng OSE relay and the syslog-ng OSE server.

For example, consider a client-relay-server scenario with the following hostnames: client-hostname-from-the-message, client-hostname-resolved-on-the-relay, client-hostname-resolved-on-the-server, relay-hostname-resolved-on-the-server. How keep-hostname() and chain-hostnames() options are related is described in the following table.

chain-hostnames() setting on the server
yes no
keep-hostname() setting on the server keep-hostname() setting on the server
yes no yes no
chain-hostnames() setting on the relay yes keep-hostname() setting on the relay yes client-hostname-from-the-message client-hostname-from-the-message / relay-hostname-resolved-on-the-server client-hostname-from-the-message relay-hostname-resolved-on-the-server
no client-hostname-from-the-message-client / relay-hostname-resolved-on-the-relay client-hostname-from-the-message-client / relay-hostname-resolved-on-the-relay / relay-hostname-resolved-on-the-server client-hostname-from-the-message-client / relay-hostname-resolved-on-the-relay
no keep-hostname() setting on the relay yes client-hostname-from-the-message client-hostname-from-the-message / relay-hostname-resolved-on-the-server client-hostname-from-the-message
no client-hostname-resolved-on-the-relay client-hostname-resolved-on-the-relay / relay-hostname-resolved-on-the-server client-hostname-resolved-on-the-relay

The chain-hostnames() option can interfere with the way syslog-ng OSE counts the log source hosts. As a result, syslog-ng OSE falsely perceives several hosts logging to the central server, especially if the clients sends a hostname in the message that is different from its real hostname (as resolved from DNS). Disable the chain-hostnames() option on your log sources to avoid any problems related to license counting.

check-hostname()

Accepted values: yes | no
Default: no

Description: Enable or disable checking whether the hostname contains valid characters.

create-dirs()

Accepted values: yes or no
Default: no

Description: Enable creating non-existing directories when creating files or socket files.

custom-domain()

NOTE: This global option works only if the use-fqdn() global option is set to yes.

Accepted values: string
Default: empty string

Description: Use this option to specify a custom domain name that is appended after the short hostname to receive the fully qualified domain name (FQDN). This option affects every outgoing message: eventlog sources, file sources, MARK messages and internal messages of syslog-ng OSE.

dir-group()

Accepted values: groupid
Default: root

Description: The group of the directories created by syslog-ng. To preserve the original properties of an existing directory, use the option without specifying an attribute: dir-group().

dir-owner()

Accepted values: userid
Default: root

Description: The owner of the directories created by syslog-ng. To preserve the original properties of an existing directory, use the option without specifying an attribute: dir-owner().

Starting with version 3.16, the default value of this option is -1, so syslog-ng OSE does not change the ownership, unless explicitly configured to do so.

dir-perm()

Accepted values: permission value
Default: -1

Description: The permission mask of directories created by syslog-ng. Log directories are only created if a file after macro expansion refers to a non-existing directory, and directory creation is enabled (see also the create-dirs() option). For octal numbers prefix the number with 0, for example, use 0755 for rwxr-xr-x.

To preserve the original properties of an existing directory, use the option without specifying an attribute: dir-perm(). Note that when creating a new directory without specifying attributes for dir-perm(), the default permission of the directories is masked with the umask of the parent process (typically 0022).

Starting with version 3.16, the default value of this option is -1, so syslog-ng OSE does not change the ownership, unless explicitly configured to do so.

dns-cache()

Accepted values: yes | no
Default: yes

Description: Enable or disable DNS cache usage.

NOTE: This option has no effect if the keep-hostname() option is enabled (keep-hostname(yes)) and the message contains a hostname.

dns-cache-expire()

Accepted values: number
Default: 3600

Description: Number of seconds while a successful lookup is cached.

dns-cache-expire-failed()

Accepted values: number
Default: 60

Description: Number of seconds while a failed lookup is cached.

dns-cache-hosts()

Accepted values: filename
Default: unset

Description: Name of a file in /etc/hosts format that contains static IP->hostname mappings. Use this option to resolve hostnames locally without using a DNS. Note that any change to this file triggers a reload in syslog-ng OSE and is instantaneous.

dns-cache-size()

Accepted values: number of hostnames
Default: 1007

Description: Number of hostnames in the DNS cache.

file-template()

Accepted values: string
Default:  

Description: Specifies a template that file-like destinations use by default. For example:

template t_isostamp { template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n"); };
options { file-template(t_isostamp); };

flush-lines()

Type: number
Default: 100

Description: Specifies how many lines are flushed to a destination at a time. The syslog-ng OSE application waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency.

The syslog-ng OSE application flushes the messages if it has sent flush-lines() number of messages, or the queue became empty. If you stop or reload syslog-ng OSE or in case of network sources, the connection with the client is closed, syslog-ng OSE automatically sends the unsent messages to the destination.

For optimal performance when sending messages to an syslog-ng OSE server, make sure that the value of flush-lines() is smaller than the window size set in the log-iw-size() option in the source of your server.

frac-digits()

Type: number
Default: 0

Description: The syslog-ng OSE application can store fractions of a second in the timestamps according to the ISO8601 format. The frac-digits() parameter specifies the number of digits stored. The digits storing the fractions are padded by zeros if the original timestamp of the message specifies only seconds. Fractions can always be stored for the time the message was received.

NOTE: The syslog-ng OSE application can add the fractions to non-ISO8601 timestamps as well.

NOTE: As syslog-ng OSE is precise up to the microsecond, when the frac-digits() option is set to a value higher than 6, syslog-ng OSE will truncate the fraction seconds in the timestamps after 6 digits.

group()

Accepted values: groupid
Default: root

Description: The default group of output files. By default, syslog-ng changes the privileges of accessed files (for example, /dev/null) to root.root 0600. To disable modifying privileges, use this option with the -1 value.

jvm-options()

Type: list
Default: N/A

Description: Specify the Java Virtual Machine (JVM) settings of your Java destination from the syslog-ng OSE configuration file.

For example:

jvm-options("-Xss1M -XX:+TraceClassLoading")

keep-hostname()

Type: yes or no
Default: no

Description: Enable or disable hostname rewriting.

NOTE: If the log message does not contain a hostname in its HOST field, syslog-ng OSE automatically adds a hostname to the message.

  • For messages received from the network, this hostname is the address of the host that sent the message (this means the address of the last hop if the message was transferred via a relay).

  • For messages received from the local host, syslog-ng OSE adds the name of the host.

This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

NOTE: When relaying messages, enable this option on the syslog-ng OSE server and also on every relay, otherwise syslog-ng OSE will treat incoming messages as if they were sent by the last relay.

keep-timestamp()

Accepted values: yes | no
Default: yes

Description: Specifies whether syslog-ng OSE should accept the timestamp received from the sending application or client. If disabled, the time of reception will be used instead. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

CAUTION: To use the S_ macros, the keep-timestamp() option must be enabled (this is the default behavior of syslog-ng OSE).

log-fifo-size()

Type: number
Default: 10000

Description: The number of messages that the output queue can store.

log-level()

Accepted values: default, verbose, debug, trace
Default: default

This option is available in syslog-ng OSE version 4.0 and later versions.

Description: Controls the own internal log level of syslog-ng OSE. Corresponds to setting the internal log level using syslog-ng-ctl or the command line options of syslog-ng OSE (the -d, -v, and -t ). Setting the log level in the configuration makes it easier to control logging in containerized environments where changing command line options is more problematic.

Higher log-levels automatically include messages from lower log-levels:

  • default: Normal log messages.

  • verbose: Normal and verbose log messages.

  • debug: Include debug messages of syslog-ng OSE.

  • trace: Include trace messages of how messages are processed.

Example:

options { log-level(debug); };

log-msg-size()

Type: number (bytes)
Default: 65536

Description: Maximum length of an incoming message in bytes. This length includes the entire message (the data structure and individual fields). The maximal value that can be set is 268435456 bytes (256 MiB).

For messages using the IETF-syslog message format, the maximal size of the value of an SDATA field is 64 KiB.

NOTE: In most cases, log-msg-size() does not need to be set higher than 10 MiB.

For details on how encoding affects the size of the message, see Message size and encoding.

You can use human-readable units when setting configuration options. For details, see Notes about the configuration syntax.

Uses the value of the global option if not specified.

mark() (DEPRECATED)

Accepted values: number
Default: 1200

Description: The mark-freq() option is an alias for the deprecated mark() option. This is retained for compatibility with syslog-ng OSE version 1.6.x.

mark-freq()

Accepted values: number [seconds]
Default: 1200

Description: An alias for the obsolete mark() option, retained for compatibility with syslog-ng OSE version 1.6.x.

The number of seconds between two MARK messages. MARK messages are generated when there was no message traffic to inform the receiver that the connection is still alive. If set to zero (0), no MARK messages are sent. The mark-freq() can be set for global option and/or every MARK capable destination driver if mark-mode() is periodical or dst-idle or host-idle. If mark-freq() is not defined in the destination, then the mark-freq() will be inherited from the global options. If the destination uses internal mark-mode(), then the global mark-freq() will be valid (does not matter what mark-freq() set in the destination side).

mark-mode()

Accepted values: internal | dst-idle | host-idle | periodical | none | global  
Default: internal for pipe, program drivers, none for file, unix-dgram, unix-stream drivers, global for syslog, tcp, udp destinations, host-idle for global option  

Description: The mark-mode() option can be set for the following destination drivers: file(), program(), unix-dgram(), unix-stream(), network(), pipe(), syslog() and in global option.

NOTE: In case of dst-idle, host-idle and periodical, the MARK message will not be written in the destination, if it is not open yet.

Available in syslog-ng OSE 3.4 and later.

normalize-hostnames()

Accepted values: yes | no
Default: no

Description: If enabled (normalize-hostnames(yes)), syslog-ng OSE converts the hostnames to lowercase.

NOTE: This setting applies only to hostnames resolved from DNS. It has no effect if the keep-hostname() option is enabled, and the message contains a hostname.

on-error()

Accepted values: drop-message | drop-property | fallback-to-string | silently-drop-message | silently-drop-property | silently-fallback-to-string
Default: drop-message

Description: Controls what happens when type-casting fails and syslog-ng OSE cannot convert some data to the specified type. By default, syslog-ng OSE drops the entire message and logs the error. Currently the value-pairs() option uses the settings of on-error().

  • drop-message: Drop the entire message and log an error message to the internal() source. This is the default behavior of syslog-ng OSE.

  • drop-property: Omit the affected property (macro, template, or internal() source. message-field) from the log message and log an error message to the

  • fallback-to-string: Convert the property to string and log an error message to the internal() source.

  • silently-drop-message: Drop the entire message silently, without logging the error.

  • silently-drop-property: Omit the affected property (macro, template, or message-field) silently, without logging the error.

  • silently-fallback-to-string: Convert the property to string silently, without logging the error.

owner()

Accepted values: userid
Default: root

Description: The default owner of output files. If set, syslog-ng changes the owner of accessed files (for example, /dev/null) to this value, and the permissions to the value set in the perm() option.

Starting with version 3.16, the default value of this option is -1, so syslog-ng OSE does not change the ownership, unless explicitly configured to do so.

pass-unix-credentials()

Accepted values: yes | no
Default: yes

Description: Enable syslog-ng OSE to collect UNIX credential information (that is, the PID, user ID, and group of the sender process) for messages received using UNIX domain sockets. Available only in syslog-ng Open Source Edition 3.7 and later. Note that collecting UNIX credential information from sockets in high-traffic environments can be resource intensive, therefore pass-unix-credentials() can be disabled globally, or separately for each source.

perm()

Type: number (octal notation)
Default: 0600

Description: Sets the permission mask. For octal numbers prefix the number with 0, for example: use 0755 for rwxr-xr-x.

proto-template()

Accepted values: name of a template
Default: The default message format of the used protocol

Description: Specifies a template that protocol-like destinations (for example, network() and syslog()) use by default. For example:

template t_isostamp { template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n"); };
options { proto-template(t_isostamp); };

recv-time-zone()

Accepted values: name of the timezone, or the timezone offset
Default: local timezone

Description: Specifies the time zone associated with the incoming messages, if not specified otherwise in the message or in the source driver.

For details, see also Timezones and daylight saving and A note on timezones and timestamps.

The timezone can be specified by using the name, for example, time-zone(“Europe/Budapest”), or as the timezone offset in +/-HH:MM format, for example, +01:00. On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

send-time-zone()

Accepted values: name of the timezone, or the timezone offset
Default: local timezone

Description: Specifies the time zone associated with the messages sent by syslog-ng OSE, if not specified otherwise in the message or in the destination driver.

For details, see also Timezones and daylight saving and A note on timezones and timestamps.

The timezone can be specified by using the name, for example, time-zone(“Europe/Budapest”), or as the timezone offset in +/-HH:MM format, for example, +01:00. On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

stats()

Available in syslog-ng OSE 4.1 and later versions.

Description: The stats() option is an aggregated collection of statistic-related sub-options.

Example:

options {
    stats(
        freq(1)
        level(1)
        lifetime(1000)
        max-dynamics(10000)
        syslog-stats(yes)
    );
};

The following sub-options are available within the stats() option:

  • freq()
Accepted values: number
Default: 600
Accepted values: 0, 1, 2, 3
Default: 0

Description: Specifies the detail of statistics syslog-ng OSE collects about the processed messages.

  • Level 0 collects only statistics about the sources and destinations.

  • Level 1 contains details about the different connections and log files, but has a slight memory overhead.

  • Level 2 contains detailed statistics based on the hostname.

  • Level 3 contains detailed statistics based on various message parameters like facility, severity, or tags.

NOTE: Level 2 and 3 increase the memory requirements and CPU load. For details on message statistics, see Statistics of syslog-ng.

  • max-dynamics()
Accepted values: number
Default: N/A

Description: To avoid performance issues or even overloading syslog-ng OSE (for example, if a script starts to send logs from different IP addresses to syslog-ng OSE), you might want to limit the number of registered dynamic counters in the message statistics. For details on message statistics, see Statistics of syslog-ng.

  • Unlimited dynamic counters:

    If this option is not used, dynamic counters are not limited. This can be useful in cases where you are extremely interested in dynamic counters, and use these statistics extensively.

    CAUTION: In some cases, there might be even millions of dynamic counters.

  • Limited dynamic counter clusters:

    To limit dynamic counters, enter a number, and only a maximum of counters will be registered in the statistics.

    In practice, this means dynamic counter clusters. A program name produces one dynamic counter cluster, that can include several counters, such as processed, stamp, and so on.

    Example: Limiting dynamic counter clusters 1:

    If stats-max-dynamics() is set to 1, and 2 programs send messages, only one of these programs will be tracked in the dynamic counters, but it will have more than one counters.

    Example: Limiting dynamic counter clusters 2:

    If you have 500 clients, and set stats-max-dynamics() to 1000, you will have enough number of counters reserved for these clients, but at the same time, you limit the use of your resources and therefore protect your system from being overloaded.

  • No dynamic counters:

    To disable dynamic counters completely, set the value of this option to 0. This is the recommended value if statistics are not used, or if dynamic counters are irrelevant (for example, the number of logs arriving from programs).

NOTE: If a lower value is set to stats-max-dynamics() (or, any limiting value, if this option has not been configured before) and syslog-ng OSE is restarted, the changes are only applied after stats-freq() time has passed. That is, the previously allocated dynamic clusters are only removed after this time.

syslog-stats()

Accepted values: yes, no, auto
Default: auto

Available in syslog-ng OSE 4.1 and later versions.

Description: Configures the behavior of counting messages based on different syslog fields, like SEVERITY, FACILITY, HOST.

Possible values:

  • yes: Enable syslog stats.

  • no: Disable syslog stats.

  • auto: Use the settings of the stats-level() option.

stats-freq() (DEPRECATED)

This is a deprecated legacy option. Use the stats() option.

stats-level() (DEPRECATED)

This is a deprecated legacy option. Use the stats() option.

stats-max-dynamics() (DEPRECATED)

This is a deprecated legacy option. Use the stats() option.

sync() or sync-freq() (DEPRECATED)

This is a deprecated legacy option. Use the stats() option.

threaded()

Accepted values: yes|no
Default: yes

Description: Enable syslog-ng OSE to run in multithreaded mode and use multiple CPUs. Available only in syslog-ng Open Source Edition 3.3 and later. Note that setting threaded(no) does not mean that syslog-ng OSE will use only a single thread. For details, see Multithreading and scaling in syslog-ng OSE.

time-reap()

Accepted values: number (seconds)
Default: 60 or 0, see description for details

Description: The time to wait in seconds before an idle destination file or pipe is closed. Note that only destination files having macros in their filenames are closed automatically.

Starting with version 3.23, the way how time-reap() works is the following.

  1. If the time-reap() option of the destination is set, that value is used, for example:

     destination d_fifo {
     pipe(
         "/tmp/test.fifo",
         time-reap(30)  # sets time-reap() for this destination only
     );
 };

  2. If the time-reap() option of the destination is not set, and the destination does not use a template or macro in its filename or path, time-reap() is automatically set to 0. For example:

     destination d_fifo {
     pipe(
         "/tmp/test.fifo",
     );
 };

  3. Otherwise, the value of the global time-reap() option is used, which defaults to 60 seconds.

time-reopen()

Accepted values: number [seconds]
Default: 60

Description: The time to wait in seconds before a dead connection is reestablished.

time-sleep() (DEPRECATED)

Accepted values: number
Default: 0

Description: The time to wait in milliseconds between each invocation of the poll() iteration.

time-zone()

Type: name of the timezone, or the timezone offset
Default:  

Description: The default timezone for messages read from the source. Applies only if no timezone is specified within the message itself.

The timezone can be specified by using the name, for example, time-zone(“Europe/Budapest”)), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.

trim-large-messages()

Accepted values: yes | no
Default: Use the global trim-large-messages() option, which defaults to no.

Description: Determines what syslog-ng OSE does with incoming log messages that are received using the IETF-syslog protocol using the syslog() driver, and are longer than the value of log-msg-size(). Other drivers ignore the trim-large-messages() option.

  • If set to no, syslog-ng OSE drops the incoming log message.

  • If set to yes, syslog-ng OSE trims the incoming log message to the size set in log-msg-size(), and adds the trimmed tag to the message. The rest of the message is dropped. You can use the tag to filter on such messages.

      filter f_trimmed {
      tags("trimmed");
  };

    If syslog-ng OSE trims a log message, it sends a debug-level log message to its internal() source.

    As a result of trimming, a parser could fail to parse the trimmed message. For example, a trimmed JSON or XML message will not be valid JSON or XML.

Available in syslog-ng OSE version 3.21 and later.

Uses the value of the global option if not specified.

ts-format()

Type: rfc3164, bsd, rfc3339, iso
Default: rfc3164

Description: Override the global timestamp format (set in the global ts-format() parameter) for the specific destination. For details, see ts-format().

NOTE: This option applies only to file and file-like destinations. Destinations that use specific protocols (for example, network(), or syslog()) ignore this option. For protocol-like destinations, use a template locally in the destination, or use the proto-template() option.

use-dns()

Accepted values: yes, no, persist_only
Default: yes

Description: Enable or disable DNS usage. The persist_only option attempts to resolve hostnames locally from file (for example, from /etc/hosts). The syslog-ng OSE application blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your syslog-ng OSE network endpoint with firewall rules, and make sure that all hosts which may get to syslog-ng OSE are resolvable. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available.

NOTE: This option has no effect if the keep-hostname() option is enabled (keep-hostname(yes)) and the message contains a hostname.

use-fqdn()

Accepted values: yes | no
Default: no

Description: Use this option to add a Fully Qualified Domain Name (FQDN) instead of a short hostname. You can specify this option either globally or per-source. The local setting of the source overrides the global option if available.

TIP: Set use-fqdn() to yes if you want to use the custom-domain() global option.

NOTE: This option has no effect if the keep-hostname() option is enabled (keep-hostname(yes)) and the message contains a hostname.

use-rcptid()

Accepted values: yes | no
Default: no

Description: When the use-rcptid global option is set to yes, syslog-ng OSE automatically assigns a unique reception ID to every received message. You can access this ID and use it in templates via the ${RCPTID} macro. The reception ID is a monotonously increasing 48-bit integer number, that can never be zero (if the counter overflows, it restarts with 1).

use-uniqid()

Accepted values: yes | no
Default: no

Description: This option enables generating a globally unique ID. It is generated from the HOSTID and the RCPTID in the format of HOSTID@RCPTID. It has a fixed length: 16+@+8 characters. You can include the unique ID in the message by using the macro. For details, see ${UNIQID}.

Enabling this option automatically generates the HOSTID. The HOSTID is a persistent, 32-bits-long cryptographically secure pseudo random number, that belongs to the host that the syslog-ng OSE is running on. If the persist file is damaged, the HOSTID might change.

Enabling this option automatically enables the ${RCPTID} functionality. For details, see ${RCPTID}.

Updated: