<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5921" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>Hi
all,</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>I got a problem to
get the "tags" feature working on our syslog-ng 3.1. I want to collect messages
from 3 different files on the</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>source system and
want to separate them again on the central logging
server.</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>The client
configuration looks like this:</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial
size=2>----------------------------------------------------------------------------------------------------</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>source s_app
{<BR>file("/var/log/log1.log");<BR>file("/opt//log/log2.log"
tags("log2"));<BR>file("/opt/log/log3.log"
tags("log3"));<BR>};</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>options
{<BR>};</FONT></SPAN><SPAN class=781465113-31032010><BR><FONT face=Arial><FONT
size=2><BR>destination d_app { tcp("logrelay01.domain.com" port(13074));
};<BR><BR>log {<BR>source(s_app);<BR>destination(d_app);<BR>};<BR><SPAN
class=781465113-31032010>----------------------------------------------------------------------------------------------------</SPAN></FONT></FONT></DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=781465113-31032010><FONT face=Arial size=2>The log relay does
nothing than forward the messages to the central logging server with the
following config:</FONT></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><FONT
face=Arial
size=2>----------------------------------------------------------------------------------------------------</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><FONT
face=Arial size=2>options
{<BR>time_sleep(20);<BR>log_fifo_size(1000);<BR>dns_cache(2000);<BR>dns_cache_expire(87600);<BR>keep_hostname(yes);<BR>};</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><FONT
face=Arial size=2><BR>source s_remote { tcp(ip("0.0.0.0") port(13074));
};</FONT></SPAN></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><FONT
face=Arial size=2>destination remote_tcp { tcp("centrallog01.domain.com"
port(13074)); };</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><FONT
face=Arial size=2></FONT></SPAN></SPAN><SPAN class=781465113-31032010><SPAN
class=781465113-31032010> </DIV>
<DIV><FONT face=Arial size=2>log {<BR>source(s_<SPAN
class=781465113-31032010>remote</SPAN>);<BR>destination(<SPAN
class=781465113-31032010>remote</SPAN>_tcp);<BR>};<BR><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2>----------------------------------------------------------------------------------------------------</FONT></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>On the central logging server I use filters to separate
the logfiles again:</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><FONT face=Arial
size=2>----------------------------------------------------------------------------------------------------</FONT></SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>@version:
3.0<BR></SPAN></SPAN></SPAN></SPAN></FONT><FONT face=Arial size=2><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN
class=781465113-31032010></SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>include
"/opt/config/syslogng-inc.conf";</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>options
{<BR>time_sleep(20);<BR>dns_cache(2000);<BR>dns_cache_expire(87600);<BR>keep_hostname(yes);<BR>create_dirs(yes);<BR>};</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2><BR>source s_<SPAN class=781465113-31032010>remote</SPAN> { tcp
(ip("0.0.0.0") port(13074) keep-alive(yes));
};<BR></FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>============================================</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010></SPAN></SPAN></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>This is the confoguration in
/opt/config/syslogng-inc.conf</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010># Filter<BR>filter f_log1 { host("web00(09|10)");
};<BR>filter f_log2 { host("web00(09|10)") and tags("log2"); };<BR>filter f_log3
{ host("web00(09|10)") and tags("log3");
};</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>#Configuration for
Destinations</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>destination d_log1 { file("/var/logs/log1/combined.log"
perm(0755) dir_perm(0755)); };<BR>destination d_log2 {
file("/var/logs/log2/combined.log" perm(0755) dir_perm(0755)); };<BR>destination
d_log3 { file("/var/logs/log3/combined.log" perm(0755) dir_perm(0755));
};<BR></SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010># Logfile log1<BR>log
{<BR>source(s_remote);<BR>filter(f_log1);<BR>destination(d_log1);<BR>};</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010># Logfile log2<BR>log
{<BR>source(s_remote);<BR>filter(f_log2);<BR>destination(d_log2);<BR>};</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010># Logfile log3</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010>log
{<BR>source(s_remote);<BR>filter(f_log3);<BR>destination(d_log3);<BR>};</SPAN></SPAN></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><FONT face=Arial
size=2>----------------------------------------------------------------------------------------------------</FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2></FONT></SPAN></SPAN></SPAN></SPAN> </DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2>Does anybody have an idea, why it does not work as
expected.</FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2></FONT></SPAN></SPAN></SPAN></SPAN> </DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2>Thanks for any suggestion and/or
idea.</FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2></FONT></SPAN></SPAN></SPAN></SPAN> </DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2>Best regards Stefan</FONT></SPAN></SPAN></SPAN></SPAN></DIV>
<DIV><SPAN class=781465113-31032010><SPAN class=781465113-31032010><SPAN
class=781465113-31032010><SPAN class=781465113-31032010><FONT face=Arial
size=2></FONT></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN> </DIV></BODY></HTML>