
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html; charset=ISO-8859-1"

 http-equiv="Content-Type">

  <title></title>

</head>

<body bgcolor="#ffffff" text="#000000">

Hi,<br>

<br>

I'm afraid that you may misunderstand the working of this feature. The

tag field exists only within a running syslog-ng and just a virtual

part of the message. The sent message doesn't contain tag fields that's

why you cannot filter these tags with another syslog-ng.<br>

<br>

However, I can suggest you an other solution:<br>

use the program_override option. This will override the $PROGRAM macro

with the specified value.<br>

For example:<br>

<span class="781465113-31032010"><font face="Arial" size="2">source

s_app {<br>

file("/var/log/log1.log" program_override("</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">/var/log/log1.log"</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">));<br>

file("/opt//log/log2.log" tags("log2") </font></span><span

 class="781465113-31032010"><font face="Arial" size="2">program_override("</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">/opt/log/log2.log"</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">)</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">);<br>

file("/opt/log/log3.log" tags("log3") </font></span><span

 class="781465113-31032010"><font face="Arial" size="2">program_override("</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">/opt/log/log3.log"</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">)</font></span><span

 class="781465113-31032010"><font face="Arial" size="2">);<br>

};</font></span><br>

<br>

After that, you can use a specified program filter on the central

logging server side to separate them.<br>

<br>

2010.03.31. 16:39 keltez&eacute;ssel, Hoenig, Stefan, VF-Group &iacute;rta:

<blockquote

 cite="mid:CDC294DF451A024FA7AC8108F554EE1604D1479C@EITO-MBX02.internal.vodafone.com"

 type="cite">

  <meta http-equiv="Content-Type"

 content="text/html; charset=ISO-8859-1">

  <meta content="MSHTML 6.00.2900.5921" name="GENERATOR">

  <div><span class="781465113-31032010"><font face="Arial" size="2">Hi

all,</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">I

got a problem to get the "tags" feature working on our syslog-ng 3.1. I

want to collect messages from 3 different files on the</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">source

system and want to separate&nbsp;them again on the central logging server.</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">The

client configuration looks like this:</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">source

s_app {<br>

file("/var/log/log1.log");<br>

file("/opt//log/log2.log" tags("log2"));<br>

file("/opt/log/log3.log" tags("log3"));<br>

};</font></span></div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">options

{<br>

};</font></span><span class="781465113-31032010"><br>

  <font face="Arial"><font size="2"><br>

destination d_app { tcp("logrelay01.domain.com" port(13074)); };<br>

  <br>

log {<br>

source(s_app);<br>

destination(d_app);<br>

};<br>

  <span class="781465113-31032010">----------------------------------------------------------------------------------------------------</span></font></font></span></div>

  <div><span class="781465113-31032010"></span>&nbsp;</div>

  <div><span class="781465113-31032010"><font face="Arial" size="2">The

log relay does nothing than forward the messages to the central logging

server with the following config:</font></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">options {<br>

time_sleep(20);<br>

log_fifo_size(1000);<br>

dns_cache(2000);<br>

dns_cache_expire(87600);<br>

keep_hostname(yes);<br>

};</font></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2"><br>

source s_remote { tcp(ip("0.0.0.0") port(13074)); };</font></span></span></div>

  <div>&nbsp;</div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">destination remote_tcp {

tcp("centrallog01.domain.com" port(13074)); };</font></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"></span></span><span

 class="781465113-31032010"><span class="781465113-31032010">&nbsp;</span></span></div>

  <div><font face="Arial" size="2">log {<br>

source(s_<span class="781465113-31032010">remote</span>);<br>

destination(<span class="781465113-31032010">remote</span>_tcp);<br>

};<br>

  <span class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"></span></span></font>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010">On the central logging server I use filters

to separate the logfiles again:</span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">@version: 3.0<br>

  </span></span></span></span></font><font face="Arial" size="2"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"></span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">include "/opt/config/syslogng-inc.conf";</span></span></span></span></font></div>

  <div>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">options {<br>

time_sleep(20);<br>

dns_cache(2000);<br>

dns_cache_expire(87600);<br>

keep_hostname(yes);<br>

create_dirs(yes);<br>

};</span></span></span></span></font></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2"><br>

source s_<span class="781465113-31032010">remote</span> { tcp

(ip("0.0.0.0") port(13074) keep-alive(yes)); };<br>

  </font></span></span></span></span></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">============================================</span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"></span></span></span></span></font>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">This is the confoguration in

/opt/config/syslogng-inc.conf</span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"># Filter<br>

filter f_log1 { host("web00(09|10)"); };<br>

filter f_log2 { host("web00(09|10)") and tags("log2"); };<br>

filter f_log3 { host("web00(09|10)") and tags("log3"); };</span></span></span></span></font></div>

  <div>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">#Configuration for Destinations</span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">destination d_log1 {

file("/var/logs/log1/combined.log" perm(0755) dir_perm(0755)); };<br>

destination d_log2 { file("/var/logs/log2/combined.log" perm(0755)

dir_perm(0755)); };<br>

destination d_log3 { file("/var/logs/log3/combined.log" perm(0755)

dir_perm(0755)); };<br>

  </span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"># Logfile&nbsp;log1<br>

log {<br>

source(s_remote);<br>

filter(f_log1);<br>

destination(d_log1);<br>

};</span></span></span></span></font></div>

  <div>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"># Logfile log2<br>

log {<br>

source(s_remote);<br>

filter(f_log2);<br>

destination(d_log2);<br>

};</span></span></span></span></font></div>

  <div>&nbsp;</div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"># Logfile log3</span></span></span></span></font></div>

  <div><font face="Arial" size="2"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010">log {<br>

source(s_remote);<br>

filter(f_log3);<br>

destination(d_log3);<br>

};</span></span></span></span></font></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"></span></span></span></span>&nbsp;</div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">Does anybody have an idea, why it does not work

as expected.</font></span></span></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"></span></span></span></span>&nbsp;</div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">Thanks for any suggestion and/or idea.</font></span></span></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"></span></span></span></span>&nbsp;</div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"><font

 face="Arial" size="2">Best regards Stefan</font></span></span></span></span></div>

  <div><span class="781465113-31032010"><span class="781465113-31032010"><span

 class="781465113-31032010"><span class="781465113-31032010"></span></span></span></span>&nbsp;</div>

  <pre wrap="">

<fieldset class="mimeAttachmentHeader"></fieldset>

______________________________________________________________________________

Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>


  </pre>

</blockquote>

<br>

<br>

<div class="moz-signature">-- <br>

pzolee</div>

</body>

</html>