Ok, I think I see what you're saying: the tag only exists on the local box and does not get forwarded in the message. You were saying you have to overwrite the original program with some other value so that the tag is permanent and will survive multiple relays. Sorry for the confusion. <span style="font-family: courier new;"><br>
</span><br><div class="gmail_quote">So the difference is that tags are only supported on some types of sources?<br><br>On Thu, Apr 1, 2010 at 9:40 AM, Zoltán Pallagi <span dir="ltr"><<a href="mailto:pzolee@balabit.hu">pzolee@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><div class="im">
Martin Holste wrote:
<blockquote type="cite">Ok, so '.sources' has nothing to do with user-provided
tags, but in his example Marci uses:<br>
<br>
<span style="font-family: courier new;">source s_tcp2 {</span><br>
<span style="font-family: courier new;"> tcp(ip(192.168.1.2)
port(1514) tags("tcp", "windows));</span><br>
<span style="font-family: courier new;">};<br>
<br>
</span><span style="font-family: courier new;">#Match on tags "tcp"
or "udp"</span><br>
<span style="font-family: courier new;">filter f_net {</span><br>
<span style="font-family: courier new;"> tags("tcp", "udp");</span><br>
<span style="font-family: courier new;">};</span><br>
<br>
Which seems to imply that arbitrary user tags can be set and then
matched on in a filter later. So, it seems what is missing from
Stefan's config was:<br>
<br>
<span><span><span><span><font face="Arial" size="2">source s_<span>remote</span>
{ tcp
(ip("0.0.0.0") port(13074) keep-alive(yes) tags("log2"); };</font></span></span></span></span><br>
<br>
Which would allow his later filter statement <br>
<font face="Arial" size="2"><span><span><span><span><br>
filter f_log2 { host("web00(09|10)") and tags("log2"); };</span></span></span></span></font><br>
<br>
to succeed. Right?<br>
</blockquote></div>
Yes and no. It's a correct way to use tagging on sources.<br>
<br>
And no, because his original aim wasn't that.<br>
He wanted to mark logs coming from different source files of the client
by tags and than to recreate almost the same file and log structure on
the server by these tags.<br>
<br>
In your solution he would have only one tag for all the messages coming
from different sources of client.<br>
<br>
<blockquote type="cite"><div><div></div><div class="h5"><br>
<div class="gmail_quote">On Thu, Apr 1, 2010 at 8:37 AM, Zoltán
Pallagi <span dir="ltr"><<a href="mailto:pzolee@balabit.hu" target="_blank">pzolee@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>Martin Holste wrote:
<blockquote type="cite">Please step in and correct me if I'm wrong
here, but
according to Marci's blog post at <a href="http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html" target="_blank">http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html</a>
it would appear that this is possible using different syntax. Namely,
using <span style="font-family: courier new;">tags(".source.log2")</span>
in your filter.<br>
</blockquote>
</div>
No, you are using a wrong tag name.<br>
In this case, you can use the following tag:<br>
tags(".source.s_app")<br>
<br>
this is an on-the-fly generated tag,every incoming message has it one
given with the following formula: ".source.<sourcename>"
<blockquote type="cite">
<div>
<div><br>
<div class="gmail_quote">On Wed, Mar 31, 2010 at 12:57 PM, Zoltán
Pallagi <span dir="ltr"><<a href="mailto:pzolee@balabit.hu" target="_blank">pzolee@balabit.hu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">Hi,<br>
<br>
I'm afraid that you may misunderstand the working of this feature. The
tag field exists only within a running syslog-ng and just a virtual
part of the message. The sent message doesn't contain tag fields that's
why you cannot filter these tags with another syslog-ng.<br>
<br>
However, I can suggest you an other solution:<br>
use the program_override option. This will override the $PROGRAM macro
with the specified value.<br>
For example:<br>
<span><font face="Arial" size="2">source
s_app {<br>
file("/var/log/log1.log" program_override("</font></span><span><font face="Arial" size="2">/var/log/log1.log"</font></span><span><font face="Arial" size="2">));<br>
file("/opt//log/log2.log" tags("log2") </font></span><span><font face="Arial" size="2">program_override("</font></span><span><font face="Arial" size="2">/opt/log/log2.log"</font></span><span><font face="Arial" size="2">)</font></span><span><font face="Arial" size="2">);<br>
file("/opt/log/log3.log" tags("log3") </font></span><span><font face="Arial" size="2">program_override("</font></span><span><font face="Arial" size="2">/opt/log/log3.log"</font></span><span><font face="Arial" size="2">)</font></span><span><font face="Arial" size="2">);<br>
};</font></span><br>
<br>
After that, you can use a specified program filter on the central
logging server side to separate them.<br>
<br>
2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
<blockquote type="cite">
<div>
<div>
<div><span><font face="Arial" size="2">Hi
all,</font></span></div>
<div><span><font face="Arial" size="2">I
got a problem to get the "tags" feature working on our syslog-ng 3.1. I
want to collect messages from 3 different files on the</font></span></div>
<div><span><font face="Arial" size="2">source
system and want to separate them again on the central logging server.</font></span></div>
<div><span><font face="Arial" size="2">The
client configuration looks like this:</font></span></div>
<div><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></div>
<div><span><font face="Arial" size="2">source
s_app {<br>
file("/var/log/log1.log");<br>
file("/opt//log/log2.log" tags("log2"));<br>
file("/opt/log/log3.log" tags("log3"));<br>
};</font></span></div>
<div><span><font face="Arial" size="2">options
{<br>
};</font></span><span><br>
<font face="Arial"><font size="2"><br>
destination d_app { tcp("<a href="http://logrelay01.domain.com" target="_blank">logrelay01.domain.com</a>"
port(13074)); };<br>
<br>
log {<br>
source(s_app);<br>
destination(d_app);<br>
};<br>
<span>----------------------------------------------------------------------------------------------------</span></font></font></span></div>
<div><span></span> </div>
<div><span><font face="Arial" size="2">The
log relay does nothing than forward the messages to the central logging
server with the following config:</font></span></div>
<div><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></div>
<div><span><span><font face="Arial" size="2">options {<br>
time_sleep(20);<br>
log_fifo_size(1000);<br>
dns_cache(2000);<br>
dns_cache_expire(87600);<br>
keep_hostname(yes);<br>
};</font></span></span></div>
<div><span><span><font face="Arial" size="2"><br>
source s_remote { tcp(ip("0.0.0.0") port(13074)); };</font></span></span></div>
<div> </div>
<div><span><span><font face="Arial" size="2">destination
remote_tcp {
tcp("<a href="http://centrallog01.domain.com" target="_blank">centrallog01.domain.com</a>" port(13074)); };</font></span></span></div>
<div><span><span></span></span><span><span> </span></span></div>
<div><font face="Arial" size="2">log {<br>
source(s_<span>remote</span>);<br>
destination(<span>remote</span>_tcp);<br>
};<br>
<span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></font></div>
<div><font face="Arial" size="2"><span><span></span></span></font> </div>
<div><font face="Arial" size="2"><span><span>On the central
logging server I use filters
to separate the logfiles again:</span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>@version:
3.0<br>
</span></span></span></span></font><font face="Arial" size="2"><span><span><span><span></span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>include
"/opt/config/syslogng-inc.conf";</span></span></span></span></font></div>
<div> </div>
<div><font face="Arial" size="2"><span><span><span><span>options
{<br>
time_sleep(20);<br>
dns_cache(2000);<br>
dns_cache_expire(87600);<br>
keep_hostname(yes);<br>
create_dirs(yes);<br>
};</span></span></span></span></font></div>
<div><span><span><span><span><font face="Arial" size="2"><br>
source s_<span>remote</span> { tcp
(ip("0.0.0.0") port(13074) keep-alive(yes)); };<br>
</font></span></span></span></span></div>
<div><font face="Arial" size="2"><span><span><span><span>============================================</span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span></span></span></span></span></font> </div>
<div><font face="Arial" size="2"><span><span><span><span>This
is
the confoguration in
/opt/config/syslogng-inc.conf</span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>#
Filter<br>
filter f_log1 { host("web00(09|10)"); };<br>
filter f_log2 { host("web00(09|10)") and tags("log2"); };<br>
filter f_log3 { host("web00(09|10)") and tags("log3"); };</span></span></span></span></font></div>
<div> </div>
<div><font face="Arial" size="2"><span><span><span><span>#Configuration
for Destinations</span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>destination
d_log1 {
file("/var/logs/log1/combined.log" perm(0755) dir_perm(0755)); };<br>
destination d_log2 { file("/var/logs/log2/combined.log" perm(0755)
dir_perm(0755)); };<br>
destination d_log3 { file("/var/logs/log3/combined.log" perm(0755)
dir_perm(0755)); };<br>
</span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>#
Logfile log1<br>
log {<br>
source(s_remote);<br>
filter(f_log1);<br>
destination(d_log1);<br>
};</span></span></span></span></font></div>
<div> </div>
<div><font face="Arial" size="2"><span><span><span><span>#
Logfile log2<br>
log {<br>
source(s_remote);<br>
filter(f_log2);<br>
destination(d_log2);<br>
};</span></span></span></span></font></div>
<div> </div>
<div><font face="Arial" size="2"><span><span><span><span>#
Logfile log3</span></span></span></span></font></div>
<div><font face="Arial" size="2"><span><span><span><span>log {<br>
source(s_remote);<br>
filter(f_log3);<br>
destination(d_log3);<br>
};</span></span></span></span></font></div>
<div><span><span><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></div>
<div><span><span><span><span></span></span></span></span> </div>
<div><span><span><span><span><font face="Arial" size="2">Does
anybody have an idea, why it does not work
as expected.</font></span></span></span></span></div>
<div><span><span><span><span></span></span></span></span> </div>
<div><span><span><span><span><font face="Arial" size="2">Thanks
for any suggestion and/or idea.</font></span></span></span></span></div>
<div><span><span><span><span></span></span></span></span> </div>
<div><span><span><span><span><font face="Arial" size="2">Best
regards Stefan</font></span></span></span></span></div>
<div><span><span><span><span></span></span></span></span> </div>
</div>
</div>
<pre><fieldset></fieldset>
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<font color="#888888"><br>
<div>-- <br>
pzolee</div>
</font></div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<pre><hr size="4" width="90%"><div>
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</div></pre>
</blockquote>
<br>
<br>
<pre cols="72">--
pzolee
</pre>
</div>
</blockquote>
</div>
<br>
</div></div><pre><hr size="4" width="90%"><div class="im">
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>
</div></pre>
</blockquote>
<br>
<br>
<pre cols="72">--
pzolee
</pre>
</div>
</blockquote></div><br>