※参照
http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.html/index.html#id2524536
FACILITY
The name of the facility from where the message originates.
PRIORITY or LEVEL
The priority of the message.
TAG
The priority and facility encoded as a 2 digit hexadecimal number.
PRI
The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.
DATE
Date of the message using the BSD-syslog style timestamp format (month/day/hour/minute/second, each expressed in two digits).
FULLDATE
Date of the message using the same format as DATE, but including the year as well.
ISODATE
Date of the message in the ISO standard timestamp format (yy-mm-ddThh:mm:ss+-ZONE). If possible, it is recommended to use ISODATE for timestamping.
YEAR
The year the message was sent. Time expansion macros can either use the time specified in the log message, e.g.: the time the log message is sent, or the time the message was received by the log server. This is controlled by the use_time_recvd() option (see the section called “Options reference”).
MONTH
The month the message was sent.
DAY
The day of month the message was sent.
WEEKDAY
The 3-letter name of the day of week the message was sent, e.g.: 'Thu'.
HOUR
The hour of day the message was sent.
MIN
The minute the message was sent.
SEC
The second the message was sent.
TZOFFSET
The time-zone as hour offset from GMT; e.g.: '-0700'.
TZ
The time zone or name or abbreviation; e.g.: 'PDT'.
HOST
The name of the source host where the message originates from. If the message traverses several hosts and the chain_hostnames() option is on (see the section called “Options reference”), the first host in the chain is used.
FULLHOST
The full FQDN of the host name chain, including the domain name.
HOST_FROM
Name of the host that sent the message to syslog-ng. If the message traverses several hosts, this is the last host in the chain.
FULLHOST_FROM
FQDN of the host that sent the message to syslog-ng. If the message traverses several hosts, this is the last host in the chain.
SOURCEIP IP
address of the host that sent the message to syslog-ng. (I.e. the IP address of the host in the FULLHOST_FROM macro.)
PROGRAM
The name of the program sending the message.
MSG or MESSAGE
Message contents including the program name and pid.
MSGONLY
Message contents without the program name.
