On 11/03/2011 10:33 PM, Jakub Jankowski wrote:
On 2011-11-03, Miguel Alvarez wrote:
Well, something similar is possible with syslog-ng aswell: (beware, completely untested, there might be typos!) [...] source s_snort_alert { file("/var/log/snort/alert"); tag("snort"); }; [...] [1]: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide...
Wow, thank you so much! That actually looks pretty straight forward.
I initially had syslog-ng 3.2.4 installed but it was complaining about the "source plugin tag not found". I thought this was perhaps due to it not being 3.3 so I built and installed 3.3.1 but am still seeing it. Is there something I'm missing from my build or not loading in my config?
It's a typo in Gergely's example. It's "tags", not "tag" :) See the docs[2]
[2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.2-guide... Also, tags() have to be within the file() declaration, so the above should rather look like
source s_snort_alert { file("/var/log/snort/alert" tags("snort")); }; Balint