Hi Nikolay, On Fri, Nov 21, 2014 at 04:31:58PM -0500, Nikolay P wrote:
Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log message to a remote syslog-ng and use this tags() in a filter on the remote machine?
This is not possible to send the contents of the TAGS macro using standard (rfc3164) syslog. However you could send them over using format-json, or using the new ietf (rfc5424) syslog by including it into structured data (SDATA). Here's the quote from the PE doc: "Note that the tags are not part of the log message and are not automatically transferred from a client to the server. For example, if a client uses a pattern database to tag the messages, the tags are not transferred to the server. A way of transferring the tags is to explicitly add them to the log messages using a template and the ${TAGS} macro, or to add them to the structured metadata part of messages when using the IETF-syslog message format. When sent as structured metadata, it is possible to reference to the list of tags on the central server, and for example, to add them to a database column." Cheers