On Fri, 2010-04-02 at 15:50 -0700, Lance Laursen wrote:
On Fri, Apr 2, 2010 at 1:25 AM, SZALAY Attila <sasa@balabit.hu> wrote: Hi All!
On Thu, 2010-04-01 at 11:37 -0600, Martin Holste wrote: > Ok, I think I see what you're saying: the tag only exists on the local > box and does not get forwarded in the message. You were saying you > have to overwrite the original program with some other value so that > the tag is permanent and will survive multiple relays. Sorry for the > confusion.
Try to think about the tags as a sticky note on a package. When I want to create a lot of uniform white bag I put a sticky note into it, so I can make a difference between them. But after I write the correct adresses I take off the notes from it. In the example the tag is not surviving the relays, He put the tag _value_ into an another field. Just like if I put some information into the destination address to my mail.
But I think that the idea of the persistant tags is great. And in the new syslog protocol there is space for it. I will create a feature request for it. :)
I agree. When tagging was first announced I was disappointed that they would not survive relays. Program_override is a way to 'tag' relayed messages, but it seems like a work-around (just like, say, using templates to add a custom string before $MSG to filter for at your receiving host). In a large setup, matching by host or other means is not manageable (especially if you want your configs to be multi-site compatible), so I think persistent tags would be a useful feature when sending from syslog-ng to syslog-ng.
True enough, it wasn't our original intention with the tags filter, but that's how open source works: we create a feature and you have a new idea based on that. We already had a $TAGS macro that at least makes it possible to include the set of TAGS in a message template, making it easier to transfer it to the other side. I've ported this functionality to OSE 3.1 with this patch: commit 0fed21453d7adb2a2befd534d1dea72b1d5599ee Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sun Apr 4 11:09:22 2010 +0200 template: added TAGS macro support which expands to a set of comma separated tag values Something like this would work for instance: rewrite r_tags { set("$TAGS" value(".SDATA.local.tags")); }; Which would include the tags value in the local.tags structured data member (when using the new syslog protocol). Of course you could also include the tags value in the message itself if you need to stick with the legacy BSD syslog. Transferring the complete message _with_ all metainformation is in our plans. (e.g. creating a serialized representation of a message and transfer that) -- Bazsi