
<div class="gmail_quote">Le 11 nov. 2011 17:06, &quot;Matt Zagrabelny&quot; &lt;<a href="mailto:mzagrabe@d.umn.edu">mzagrabe@d.umn.edu</a>&gt; a écrit :<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hi,<br>

<br>

I am trying to ship a bunch of apache log files across the network and<br>

on the syslog-ng server side then break them into their individual<br>

files again.<br>

<br>

I am not sure the best way to do this, but it looks like tags might be helpful.<br>

<br>

On my apache system I have the following snippets:<br>

<br>

-----{syslog-ng client begin}-----<br>

<br>

source s_apache_access {<br>

  file(&quot;/var/log/apache2/access.log&quot;<br>

       tags(&quot;main_access&quot;)<br>

      );<br>

};<br>

<br>

source s_apache_other_vhost_access {<br>

  file(&quot;/var/log/apache2/other_vhost.log&quot;<br>

       tags(&quot;other_vhost_access&quot;)<br>

      );<br>

};<br>

<br>

destination d_server {<br>

                   syslog(<br>

                          &quot;10.0.0.1&quot;<br>

                          transport(&quot;tls&quot;)<br>

                          port(6514)<br>

                          tls(<br>

                              peer-verify(required-trusted)<br>

                              ca_dir(&#39;/etc/syslog-ng/ssl/ca.d&#39;)<br>

                              key_file(&#39;/etc/syslog-ng/ssl/server.key&#39;)<br>

                              cert_file(&#39;/etc/syslog-ng/ssl/server.crt&#39;)<br>

                             )<br>

                         );<br>

};<br>

<br>

log {<br>

  source(s_apache_access);<br>

  source(s_apache_other_vhost_access);<br>

  destination(d_server);<br>

};<br>

<br>

-----{syslog-ng client end}-----<br>

<br>

On my server I have the following:<br>

<br>

-----{syslog-ng server begin}-----<br>

<br>

source s_tls {<br>

              syslog(<br>

                     ip(0.0.0.0)<br>

                     port(6514)<br>

                     transport(&quot;tls&quot;)<br>

                     tls(<br>

                         peer-verify(required-trusted)<br>

                         ca_dir(&#39;/etc/syslog-ng/ssl/ca.d&#39;)<br>

                         key_file(&#39;/etc/syslog-ng/ssl/server.key&#39;)<br>

                         cert_file(&#39;/etc/syslog-ng/ssl/server.crt&#39;)<br>

                        )<br>

                     max_connections(1000)<br>

                     keep_hostname(yes)<br>

                    );<br>

};<br>

<br>

filter f_main_apache_access {<br>

  tags(&quot;main_access&quot;);<br>

};<br>

<br>

destination d_main_access {<br>

  file(&quot;/var/log/apache2/access.log&quot;);<br>

};<br>

<br>

log {<br>

  source(s_tls);<br>

  filter(f_main_apache_access);<br>

  destination(d_main_access);<br>

};<br>

<br>

-----{syslog-ng server end}-----<br>

<br>

It doesn&#39;t look like the &quot;tag&quot; is being preserved through the network.<br>

Does anyone know if tags is the right mechanism for splitting apart<br>

(filtering) the aggregate stream coming in on the server?<br>

<br>

Any other advice would be greatly appreciated.<br>

<br>

Thanks!<br>

<br>

-matt zagrabelny<br>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote></div>