<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">You can do
something like "program-override('logfile/category/subcat')". that way
later down the line, if you need to test for entries coming from these
sources, you can do "program('logfile')" inside a filter, or
"program('logfile/category')" to match a certain category of the log
files or whatnot.<br>
<br>
-Patrick<br>
</font></font><br>
Sent: Wednesday, August 11, 2010 7:34:16 AM<br>
From: Steve Barnes <a class="moz-txt-link-rfc2396E" href="mailto:steve@echo.id.au"><steve@echo.id.au></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] Using source tags in rewrites?
<blockquote
cite="mid:063431e39d0f39795572ec86a330c752.squirrel@10.10.10.1"
type="cite">
<pre wrap="">Patrick
I did consider the program-override together with the $PROGRAM macro, but
I was concerned that ~70 different $PROGRAM types would come back to haunt
me some where down the line. Having a single $PROGRAM to summarise the log
file related traffic felt like a less "risky" / more manageable approach.
Saying that, it looks like I don't have much choice given that I'm
presently using the OSE version.
Thanks for the suggestion, I'll give it a whirl and see what the end
result looks like :-)
Cheers
Steve
</pre>
<blockquote type="cite">
<pre wrap="">Ok, I see what youre doing now :-)
There's another simple solution that pops into mind; the file() source
driver supports the 'program-override()' option. Basically any logs read
from that file would have whatever $PROGRAM you specified. And that
$PROGRAM macro will be propagated from the client syslog-ng to your
server.
-Patrick
Sent: Tuesday, August 10, 2010 5:12:10 PM
From: Steve Barnes <a class="moz-txt-link-freetext" href="mailto:steve@echo.id.au">mailto:steve@echo.id.au</a> <a class="moz-txt-link-rfc2396E" href="mailto:steve@echo.id.au"><steve@echo.id.au></a>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-freetext" href="mailto:syslog-ng@lists.balabit.hu">mailto:syslog-ng@lists.balabit.hu</a> <a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a>
Subject: Re: [syslog-ng] Using source tags in rewrites?
To what end? Rewrites are used to change or set key/value pairs. Flags
arent key/value pairs, theyre flags, meaning you either have the flag, or
you dont. Think of it this way; each incoming log statment has a list of
flag names associated with it, you can see if a certain flag name is in
that list, but thats it. It would help to know what youre trying to
accomplish though. -Patrick
Patrick I have ~70 different log files containing the results of a daily
processing cycle. None of these log files are Syslog formatted. Unlike an
Apache log file entry, each line of these log files is ambiguous - unless
you referred to a portion of the file name, you'd have no way to
differentiate a line from one file with another line from another file.
The plan is to have SyslogNG set up as a client on a machine, tracking the
contents of these files as they are updated. Interesting lines are
filtered on the client with matching lines pushed across the network to a
SyslogNG server. The server is responsible for processing lines against a
pattern DB and then stuffing the useful information into a PostgreSQL
backend. What I was hoping to do on the client side is tag each source in
syslog-ng.conf with a meaningful name and then include that tag in either
the IETF structured data or, by using a rewrite, prefix each log line
before transmission with the tag value. This would give the SyslogNG
server at the other end someway to differentiate messages as they arrived.
Further reading yesterday uncovered the following in the 3.2 PE
documentation:
<a class="moz-txt-link-freetext" href="http://www.balabit.com/dl/html/syslog-ng-pe-v3.2-guide-admin-en.html/tagging_messages.html">http://www.balabit.com/dl/html/syslog-ng-pe-v3.2-guide-admin-en.html/tagging_messages.html</a>
<a class="moz-txt-link-freetext" href="http://www.balabit.com/dl/html/syslog-ng-pe-v3.2-guide-admin-en.html/tagging_messages.html">http://www.balabit.com/dl/html/syslog-ng-pe-v3.2-guide-admin-en.html/tagging_messages.html</a>
"To include the tags in the message, use the $TAGS macro in a template.
Alternatively, if you are using the IETF-syslog message format, you can
include the $TAGS macro in the .SDATA.meta part of the message. Note that
the $TAGS macro is available only in syslog-ng PE 3.1.1 and later." So it
looks like I've found the answer to my question? Before I start along the
path seeking purchase approval for SyslogNG PE, I wanted to make sure
there was no other way to do what I hand in mind? Cheers Steve
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
<a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
<a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
<a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap=""><!---->
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>