Ok, so '.sources' has nothing to do with user-provided tags, but in his example Marci uses: source s_tcp2 { tcp(ip(192.168.1.2) port(1514) tags("tcp", "windows)); }; #Match on tags "tcp" or "udp" filter f_net { tags("tcp", "udp"); }; Which seems to imply that arbitrary user tags can be set and then matched on in a filter later. So, it seems what is missing from Stefan's config was: source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes) tags("log2"); }; Which would allow his later filter statement filter f_log2 { host("web00(09|10)") and tags("log2"); }; to succeed. Right? On Thu, Apr 1, 2010 at 8:37 AM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Martin Holste wrote:
Please step in and correct me if I'm wrong here, but according to Marci's blog post at http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html it would appear that this is possible using different syntax. Namely, using tags(".source.log2") in your filter.
No, you are using a wrong tag name. In this case, you can use the following tag: tags(".source.s_app")
this is an on-the-fly generated tag,every incoming message has it one given with the following formula: ".source.<sourcename>"
On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi <pzolee@balabit.hu>wrote:
Hi,
I'm afraid that you may misunderstand the working of this feature. The tag field exists only within a running syslog-ng and just a virtual part of the message. The sent message doesn't contain tag fields that's why you cannot filter these tags with another syslog-ng.
However, I can suggest you an other solution: use the program_override option. This will override the $PROGRAM macro with the specified value. For example: source s_app { file("/var/log/log1.log" program_override("/var/log/log1.log")); file("/opt//log/log2.log" tags("log2") program_override(" /opt/log/log2.log")); file("/opt/log/log3.log" tags("log3") program_override(" /opt/log/log3.log")); };
After that, you can use a specified program filter on the central logging server side to separate them.
2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
Hi all, I got a problem to get the "tags" feature working on our syslog-ng 3.1. I want to collect messages from 3 different files on the source system and want to separate them again on the central logging server. The client configuration looks like this:
---------------------------------------------------------------------------------------------------- source s_app { file("/var/log/log1.log"); file("/opt//log/log2.log" tags("log2")); file("/opt/log/log3.log" tags("log3")); }; options { };
destination d_app { tcp("logrelay01.domain.com" port(13074)); };
log { source(s_app); destination(d_app); };
----------------------------------------------------------------------------------------------------
The log relay does nothing than forward the messages to the central logging server with the following config:
---------------------------------------------------------------------------------------------------- options { time_sleep(20); log_fifo_size(1000); dns_cache(2000); dns_cache_expire(87600); keep_hostname(yes); };
source s_remote { tcp(ip("0.0.0.0") port(13074)); };
destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };
log { source(s_remote); destination(remote_tcp); };
----------------------------------------------------------------------------------------------------
On the central logging server I use filters to separate the logfiles again:
---------------------------------------------------------------------------------------------------- @version: 3.0 include "/opt/config/syslogng-inc.conf";
options { time_sleep(20); dns_cache(2000); dns_cache_expire(87600); keep_hostname(yes); create_dirs(yes); };
source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); }; ============================================
This is the confoguration in /opt/config/syslogng-inc.conf # Filter filter f_log1 { host("web00(09|10)"); }; filter f_log2 { host("web00(09|10)") and tags("log2"); }; filter f_log3 { host("web00(09|10)") and tags("log3"); };
#Configuration for Destinations destination d_log1 { file("/var/logs/log1/combined.log" perm(0755) dir_perm(0755)); }; destination d_log2 { file("/var/logs/log2/combined.log" perm(0755) dir_perm(0755)); }; destination d_log3 { file("/var/logs/log3/combined.log" perm(0755) dir_perm(0755)); }; # Logfile log1 log { source(s_remote); filter(f_log1); destination(d_log1); };
# Logfile log2 log { source(s_remote); filter(f_log2); destination(d_log2); };
# Logfile log3 log { source(s_remote); filter(f_log3); destination(d_log3); };
----------------------------------------------------------------------------------------------------
Does anybody have an idea, why it does not work as expected.
Thanks for any suggestion and/or idea.
Best regards Stefan
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee