Keywords

Edit online

In the format file, use keywords to assign values that expand at run time.

The following keywords expand at run time:

  • DEFAULT
  • FILENAME
  • LABEL
  • REGEX
DEFAULT

Use the DEFAULT keyword to assign a DEFAULT value to a specific slot or attribute. The OS agent assigns an internal default value to slots that are described in the following table:

Table 1. Slots and the DEFAULT value
Slots Description
hostname hostname is the short host name of the system where the agent is running. It does not include the domain name of the system.
origin origin is the IP address of the system where the agent is running.
fqhostname fqhostname is the fully qualified host name of the system where the agent is running. It includes the domain name of the system.
RemoteHost When an event originates on the local system, this attribute is empty. If an event originates on a remote system, RemoteHost contains a string of the form user@host:port, which indicates the remote host name on which the event occurred, and the user and port on that host that are used to connect.

The value that is assigned to fqhostname is influenced by the following FQDomain (optional) settings in the .conf file:

  • If you set FQDomain to yes, the agent determines the system domain name itself.
  • If you do not set a value for FQDomain or if you set the value to no, the agent does not set a domain name, and the fqhostname attribute is assigned a blank string.
  • If you set FQDomain so that it does not contain a yes or no value, the domain name is accepted as the value and it is appended to the host name.

In the following example, the format definition contains three attributes or slots:

  • hostname DEFAULT
  • origin DEFAULT
  • fqhostname DEFAULT

If you set the FQDomain to yes in the .conf file and you run it on a computer with the following properties:

  • hostname: myhost
  • IP address: 192.168.1.100
  • domainname: mycompany.com

an event is created and the three slots are assigned the following values:

"hostname=myhost", "origin=192.168.1.100", "fqhostname=myhost.mycompany.com"
FILENAME
The FILENAME keyword indicates the fully qualified file name (including the path) of the log file that contains the message. If you use a single agent to monitor multiple log files and you need to identify the source of the event, use this keyword to populate an event attribute with the file name. If the message comes from the system log, mapping is set to EventLog for Windows OS agents and SysLogD for UNIX OS agents.
Note: The path includes an attribute for this keyword.
LABEL
The LABEL keyword specifies the host name of the system where the agent is running.
REGEX
The REGEX keyword expands to the regular expression that matched the message and caused the event.