Martin Holste wrote:Yes and no. It's a correct way to use tagging on sources.Ok, so '.sources' has nothing to do with user-provided tags, but in his example Marci uses:
source s_tcp2 {
tcp(ip(192.168.1.2) port(1514) tags("tcp", "windows));
};
#Match on tags "tcp" or "udp"
filter f_net {
tags("tcp", "udp");
};
Which seems to imply that arbitrary user tags can be set and then matched on in a filter later. So, it seems what is missing from Stefan's config was:
source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes) tags("log2"); };
Which would allow his later filter statement
filter f_log2 { host("web00(09|10)") and tags("log2"); };
to succeed. Right?
And no, because his original aim wasn't that.
He wanted to mark logs coming from different source files of the client by tags and than to recreate almost the same file and log structure on the server by these tags.
In your solution he would have only one tag for all the messages coming from different sources of client.
On Thu, Apr 1, 2010 at 8:37 AM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Martin Holste wrote:No, you are using a wrong tag name.Please step in and correct me if I'm wrong here, but according to Marci's blog post at http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html it would appear that this is possible using different syntax. Namely, using tags(".source.log2") in your filter.
In this case, you can use the following tag:
tags(".source.s_app")
this is an on-the-fly generated tag,every incoming message has it one given with the following formula: ".source.<sourcename>"
On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,
I'm afraid that you may misunderstand the working of this feature. The tag field exists only within a running syslog-ng and just a virtual part of the message. The sent message doesn't contain tag fields that's why you cannot filter these tags with another syslog-ng.
However, I can suggest you an other solution:
use the program_override option. This will override the $PROGRAM macro with the specified value.
For example:
source s_app {
file("/var/log/log1.log" program_override("/var/log/log1.log"));
file("/opt//log/log2.log" tags("log2") program_override("/opt/log/log2.log"));
file("/opt/log/log3.log" tags("log3") program_override("/opt/log/log3.log"));
};
After that, you can use a specified program filter on the central logging server side to separate them.
2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.htmlHi all,I got a problem to get the "tags" feature working on our syslog-ng 3.1. I want to collect messages from 3 different files on thesource system and want to separate them again on the central logging server.The client configuration looks like this:----------------------------------------------------------------------------------------------------source s_app {
file("/var/log/log1.log");
file("/opt//log/log2.log" tags("log2"));
file("/opt/log/log3.log" tags("log3"));
};options {
};
destination d_app { tcp("logrelay01.domain.com" port(13074)); };
log {
source(s_app);
destination(d_app);
};
----------------------------------------------------------------------------------------------------The log relay does nothing than forward the messages to the central logging server with the following config:----------------------------------------------------------------------------------------------------options {
time_sleep(20);
log_fifo_size(1000);
dns_cache(2000);
dns_cache_expire(87600);
keep_hostname(yes);
};
source s_remote { tcp(ip("0.0.0.0") port(13074)); };destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };log {
source(s_remote);
destination(remote_tcp);
};
----------------------------------------------------------------------------------------------------On the central logging server I use filters to separate the logfiles again:----------------------------------------------------------------------------------------------------@version: 3.0
include "/opt/config/syslogng-inc.conf";options {
time_sleep(20);
dns_cache(2000);
dns_cache_expire(87600);
keep_hostname(yes);
create_dirs(yes);
};
source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); };
============================================This is the confoguration in /opt/config/syslogng-inc.conf# Filter
filter f_log1 { host("web00(09|10)"); };
filter f_log2 { host("web00(09|10)") and tags("log2"); };
filter f_log3 { host("web00(09|10)") and tags("log3"); };#Configuration for Destinationsdestination d_log1 { file("/var/logs/log1/combined.log" perm(0755) dir_perm(0755)); };
destination d_log2 { file("/var/logs/log2/combined.log" perm(0755) dir_perm(0755)); };
destination d_log3 { file("/var/logs/log3/combined.log" perm(0755) dir_perm(0755)); };
# Logfile log1
log {
source(s_remote);
filter(f_log1);
destination(d_log1);
};# Logfile log2
log {
source(s_remote);
filter(f_log2);
destination(d_log2);
};# Logfile log3log {
source(s_remote);
filter(f_log3);
destination(d_log3);
};----------------------------------------------------------------------------------------------------Does anybody have an idea, why it does not work as expected.Thanks for any suggestion and/or idea.Best regards Stefan
--
pzolee
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee