Ok, so &#39;.sources&#39; has nothing to do with user-provided tags, but in his example Marci uses:<br><br><span style="font-family: courier new;">source s_tcp2 {</span><br><span style="font-family: courier new;">    tcp(ip(192.168.1.2) port(1514) 
tags(&quot;tcp&quot;, &quot;windows));</span><br><span style="font-family: courier new;">};<br><br></span><span style="font-family: courier new;">#Match on tags &quot;tcp&quot; or &quot;udp&quot;</span><br><span style="font-family: courier new;">filter f_net {</span><br>

<span style="font-family: courier new;">    tags(&quot;tcp&quot;, &quot;udp&quot;);</span><br><span style="font-family: courier new;">};</span><br><br>Which seems to imply that arbitrary user tags can be set and then matched on in a filter later.  So, it seems what is missing from Stefan&#39;s config was:<br>

<br><span><span><span><span><font face="Arial" size="2">source s_<span>remote</span>
 { tcp
(ip(&quot;0.0.0.0&quot;) port(13074) keep-alive(yes) tags(&quot;log2&quot;); };</font></span></span></span></span><br><br>Which would allow his later filter statement <br><font face="Arial" size="2"><span><span><span><span><br>

filter f_log2 { 
host(&quot;web00(09|10)&quot;) and tags(&quot;log2&quot;); };</span></span></span></span></font><br><br>to succeed.  Right?<br><br><div class="gmail_quote">On Thu, Apr 1, 2010 at 8:37 AM, Zoltán Pallagi <span dir="ltr">&lt;<a href="mailto:pzolee@balabit.hu">pzolee@balabit.hu</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">


  

<div bgcolor="#ffffff" text="#000000"><div class="im">
Martin Holste wrote:
<blockquote type="cite">Please step in and correct me if I&#39;m wrong here, but
according to Marci&#39;s blog post at <a href="http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html" target="_blank">http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html</a>
it would appear that this is possible using different syntax.  Namely,
using <span style="font-family: courier new;">tags(&quot;.source.log2&quot;)</span>
in your filter.<br>
</blockquote></div>
No, you are using a wrong tag name.<br>
In this case, you can use the following tag:<br>
tags(&quot;.source.s_app&quot;)<br>
<br>
this is an on-the-fly generated tag,every incoming message has it one
given with the following formula: &quot;.source.&lt;sourcename&gt;&quot;
<blockquote type="cite"><div><div></div><div class="h5"><br>
  <div class="gmail_quote">On Wed, Mar 31, 2010 at 12:57 PM, Zoltán
Pallagi <span dir="ltr">&lt;<a href="mailto:pzolee@balabit.hu" target="_blank">pzolee@balabit.hu</a>&gt;</span> wrote:<br>
  <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
    <div bgcolor="#ffffff" text="#000000">Hi,<br>
    <br>
I&#39;m afraid that you may misunderstand the working of this feature. The
tag field exists only within a running syslog-ng and just a virtual
part of the message. The sent message doesn&#39;t contain tag fields that&#39;s
why you cannot filter these tags with another syslog-ng.<br>
    <br>
However, I can suggest you an other solution:<br>
use the program_override option. This will override the $PROGRAM macro
with the specified value.<br>
For example:<br>
    <span><font face="Arial" size="2">source
s_app {<br>
file(&quot;/var/log/log1.log&quot; program_override(&quot;</font></span><span><font face="Arial" size="2">/var/log/log1.log&quot;</font></span><span><font face="Arial" size="2">));<br>
file(&quot;/opt//log/log2.log&quot; tags(&quot;log2&quot;) </font></span><span><font face="Arial" size="2">program_override(&quot;</font></span><span><font face="Arial" size="2">/opt/log/log2.log&quot;</font></span><span><font face="Arial" size="2">)</font></span><span><font face="Arial" size="2">);<br>


file(&quot;/opt/log/log3.log&quot; tags(&quot;log3&quot;) </font></span><span><font face="Arial" size="2">program_override(&quot;</font></span><span><font face="Arial" size="2">/opt/log/log3.log&quot;</font></span><span><font face="Arial" size="2">)</font></span><span><font face="Arial" size="2">);<br>


};</font></span><br>
    <br>
After that, you can use a specified program filter on the central
logging server side to separate them.<br>
    <br>
2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
    <blockquote type="cite">
      <div>
      <div>
      <div><span><font face="Arial" size="2">Hi
all,</font></span></div>
      <div><span><font face="Arial" size="2">I
got a problem to get the &quot;tags&quot; feature working on our syslog-ng 3.1. I
want to collect messages from 3 different files on the</font></span></div>
      <div><span><font face="Arial" size="2">source
system and want to separate them again on the central logging server.</font></span></div>
      <div><span><font face="Arial" size="2">The
client configuration looks like this:</font></span></div>
      <div><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></div>
      <div><span><font face="Arial" size="2">source
s_app {<br>
file(&quot;/var/log/log1.log&quot;);<br>
file(&quot;/opt//log/log2.log&quot; tags(&quot;log2&quot;));<br>
file(&quot;/opt/log/log3.log&quot; tags(&quot;log3&quot;));<br>
};</font></span></div>
      <div><span><font face="Arial" size="2">options
{<br>
};</font></span><span><br>
      <font face="Arial"><font size="2"><br>
destination d_app { tcp(&quot;<a href="http://logrelay01.domain.com" target="_blank">logrelay01.domain.com</a>&quot;
port(13074)); };<br>
      <br>
log {<br>
source(s_app);<br>
destination(d_app);<br>
};<br>
      <span>----------------------------------------------------------------------------------------------------</span></font></font></span></div>
      <div><span></span> </div>
      <div><span><font face="Arial" size="2">The
log relay does nothing than forward the messages to the central logging
server with the following config:</font></span></div>
      <div><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></div>
      <div><span><span><font face="Arial" size="2">options {<br>
time_sleep(20);<br>
log_fifo_size(1000);<br>
dns_cache(2000);<br>
dns_cache_expire(87600);<br>
keep_hostname(yes);<br>
};</font></span></span></div>
      <div><span><span><font face="Arial" size="2"><br>
source s_remote { tcp(ip(&quot;0.0.0.0&quot;) port(13074)); };</font></span></span></div>
      <div> </div>
      <div><span><span><font face="Arial" size="2">destination
remote_tcp {
tcp(&quot;<a href="http://centrallog01.domain.com" target="_blank">centrallog01.domain.com</a>&quot; port(13074)); };</font></span></span></div>
      <div><span><span></span></span><span><span> </span></span></div>
      <div><font face="Arial" size="2">log {<br>
source(s_<span>remote</span>);<br>
destination(<span>remote</span>_tcp);<br>
};<br>
      <span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></font></div>
      <div><font face="Arial" size="2"><span><span></span></span></font> </div>
      <div><font face="Arial" size="2"><span><span>On the central
logging server I use filters
to separate the logfiles again:</span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></font></div>


      <div><font face="Arial" size="2"><span><span><span><span>@version:
3.0<br>
      </span></span></span></span></font><font face="Arial" size="2"><span><span><span><span></span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span>include
&quot;/opt/config/syslogng-inc.conf&quot;;</span></span></span></span></font></div>
      <div> </div>
      <div><font face="Arial" size="2"><span><span><span><span>options {<br>
time_sleep(20);<br>
dns_cache(2000);<br>
dns_cache_expire(87600);<br>
keep_hostname(yes);<br>
create_dirs(yes);<br>
};</span></span></span></span></font></div>
      <div><span><span><span><span><font face="Arial" size="2"><br>
source s_<span>remote</span> { tcp
(ip(&quot;0.0.0.0&quot;) port(13074) keep-alive(yes)); };<br>
      </font></span></span></span></span></div>
      <div><font face="Arial" size="2"><span><span><span><span>============================================</span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span></span></span></span></span></font> </div>
      <div><font face="Arial" size="2"><span><span><span><span>This is
the confoguration in
/opt/config/syslogng-inc.conf</span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span># Filter<br>
filter f_log1 { host(&quot;web00(09|10)&quot;); };<br>
filter f_log2 { host(&quot;web00(09|10)&quot;) and tags(&quot;log2&quot;); };<br>
filter f_log3 { host(&quot;web00(09|10)&quot;) and tags(&quot;log3&quot;); };</span></span></span></span></font></div>
      <div> </div>
      <div><font face="Arial" size="2"><span><span><span><span>#Configuration
for Destinations</span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span>destination
d_log1 {
file(&quot;/var/logs/log1/combined.log&quot; perm(0755) dir_perm(0755)); };<br>
destination d_log2 { file(&quot;/var/logs/log2/combined.log&quot; perm(0755)
dir_perm(0755)); };<br>
destination d_log3 { file(&quot;/var/logs/log3/combined.log&quot; perm(0755)
dir_perm(0755)); };<br>
      </span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span>#
Logfile log1<br>
log {<br>
source(s_remote);<br>
filter(f_log1);<br>
destination(d_log1);<br>
};</span></span></span></span></font></div>
      <div> </div>
      <div><font face="Arial" size="2"><span><span><span><span>#
Logfile log2<br>
log {<br>
source(s_remote);<br>
filter(f_log2);<br>
destination(d_log2);<br>
};</span></span></span></span></font></div>
      <div> </div>
      <div><font face="Arial" size="2"><span><span><span><span>#
Logfile log3</span></span></span></span></font></div>
      <div><font face="Arial" size="2"><span><span><span><span>log {<br>
source(s_remote);<br>
filter(f_log3);<br>
destination(d_log3);<br>
};</span></span></span></span></font></div>
      <div><span><span><span><span><font face="Arial" size="2">----------------------------------------------------------------------------------------------------</font></span></span></span></span></div>
      <div><span><span><span><span></span></span></span></span> </div>
      <div><span><span><span><span><font face="Arial" size="2">Does
anybody have an idea, why it does not work
as expected.</font></span></span></span></span></div>
      <div><span><span><span><span></span></span></span></span> </div>
      <div><span><span><span><span><font face="Arial" size="2">Thanks
for any suggestion and/or idea.</font></span></span></span></span></div>
      <div><span><span><span><span></span></span></span></span> </div>
      <div><span><span><span><span><font face="Arial" size="2">Best
regards Stefan</font></span></span></span></span></div>
      <div><span><span><span><span></span></span></span></span> </div>
      </div>
      </div>
      <pre><fieldset></fieldset>
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>

  </pre>
    </blockquote>
    <br>
    <font color="#888888"><br>
    <div>-- <br>
pzolee</div>
    </font></div>
    <br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
    <br>
    <br>
  </blockquote>
  </div>
  <br>
  </div></div><pre><hr size="4" width="90%"><div class="im">
______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a>

  </div></pre>
</blockquote>
<br>
<br>
<pre cols="72">-- 
pzolee
</pre>
</div>

</blockquote></div><br>