Please step in and correct me if I'm wrong here, but according to Marci's blog post at http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html it would appear that this is possible using different syntax.  Namely, using tags(".source.log2") in your filter.

On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,

I'm afraid that you may misunderstand the working of this feature. The tag field exists only within a running syslog-ng and just a virtual part of the message. The sent message doesn't contain tag fields that's why you cannot filter these tags with another syslog-ng.

However, I can suggest you an other solution:
use the program_override option. This will override the $PROGRAM macro with the specified value.
For example:
source s_app {
file("/var/log/log1.log" program_override("/var/log/log1.log"));
file("/opt//log/log2.log" tags("log2") program_override("/opt/log/log2.log"));
file("/opt/log/log3.log" tags("log3") program_override("/opt/log/log3.log"));
};

After that, you can use a specified program filter on the central logging server side to separate them.

2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
Hi all,
I got a problem to get the "tags" feature working on our syslog-ng 3.1. I want to collect messages from 3 different files on the
source system and want to separate them again on the central logging server.
The client configuration looks like this:
----------------------------------------------------------------------------------------------------
source s_app {
file("/var/log/log1.log");
file("/opt//log/log2.log" tags("log2"));
file("/opt/log/log3.log" tags("log3"));
};
options {
};

destination d_app { tcp("logrelay01.domain.com" port(13074)); };

log {
source(s_app);
destination(d_app);
};
----------------------------------------------------------------------------------------------------
 
The log relay does nothing than forward the messages to the central logging server with the following config:
----------------------------------------------------------------------------------------------------
options {
time_sleep(20);
log_fifo_size(1000);
dns_cache(2000);
dns_cache_expire(87600);
keep_hostname(yes);
};

source s_remote { tcp(ip("0.0.0.0") port(13074)); };
 
destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };
 
log {
source(s_remote);
destination(remote_tcp);
};
----------------------------------------------------------------------------------------------------
 
On the central logging server I use filters to separate the logfiles again:
----------------------------------------------------------------------------------------------------
@version: 3.0
include "/opt/config/syslogng-inc.conf";
 
options {
time_sleep(20);
dns_cache(2000);
dns_cache_expire(87600);
keep_hostname(yes);
create_dirs(yes);
};

source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); };
============================================
 
This is the confoguration in /opt/config/syslogng-inc.conf
# Filter
filter f_log1 { host("web00(09|10)"); };
filter f_log2 { host("web00(09|10)") and tags("log2"); };
filter f_log3 { host("web00(09|10)") and tags("log3"); };
 
#Configuration for Destinations
destination d_log1 { file("/var/logs/log1/combined.log" perm(0755) dir_perm(0755)); };
destination d_log2 { file("/var/logs/log2/combined.log" perm(0755) dir_perm(0755)); };
destination d_log3 { file("/var/logs/log3/combined.log" perm(0755) dir_perm(0755)); };
# Logfile log1
log {
source(s_remote);
filter(f_log1);
destination(d_log1);
};
 
# Logfile log2
log {
source(s_remote);
filter(f_log2);
destination(d_log2);
};
 
# Logfile log3
log {
source(s_remote);
filter(f_log3);
destination(d_log3);
};
----------------------------------------------------------------------------------------------------
 
Does anybody have an idea, why it does not work as expected.
 
Thanks for any suggestion and/or idea.
 
Best regards Stefan
 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


--
pzolee

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html