In a previous post I explained how to configure syslog-ng to accept logs from other hosts on the network. Back then I used a filter to only write logs from a specific host to a specific destination.

While this approach works fine, it requires you to create a filter for each host. So I started looking for a different way to do this, and quickly found it can be done much simpler by using the SOURCEIP macro.

source s_ucudp4 {
        network (
                transport("udp")
                port(514)
                ip-protocol(4)
        );
};

destination df_remote {
        file("/var/log/remote/${SOURCEIP}.log");
};

log {
        source(s_ucudp4);
        destination(df_remote);
};

With this config, every device has its own log file, and this works for new devices without having to change the syslog-ng config.