Hi, I would like to transfer/store apache logs, but for some reason i cant tag them: I tried: source s_access { pipe("/var/log/apache2/pipe_access.log" tags("testtag"));. }; or source s_access { pipe("/var/log/apache2/pipe_access.log" program-override("testtag"));. }; Because it doesn't work with 'tags' i used the apache to format the message, i put the choosen word to the log format so it stores the correct place the log on the client and also on the server. Part of the log: - [19/Jun/2017:13:46:29 +0200] acc001 127.0.0.1 - - "GET /server-status?auto HTTP/1.1" 200 1781 If it possible i want to use 'tags' instead of manipulating apache logformats. I tried to read the pipes directly, but the above settings doesnt show, just the above log. I tried to tcpdump the traffic from client -> server (client side) but doesn't show any of the settings. It looks like for me, syslog-ng wont tag my logs. And i tried to read the stored log with file() and tag it, that doesn't work neither. What i am missing? Thanks, Robert
Hi, On Mon, Jun 19, 2017 at 01:55:51PM +0200, Sandbox wrote:
I would like to transfer/store apache logs, but for some reason i cant tag them:
Tags are available internally in the $TAGS macro. Tags are not implicitly sent over when using the syslog protocol, unless you explicitly instruct syslog-ng to do so. Try adding the $TAGS macro to your template, or add a .SDATA prefix if you're using RFC5424
Hi, Okay, I added the the tags to the sources, and its getting transferred to the server: Client: source s_access {. pipe("/var/log/apache2/pipe_access.log" tags("acc001")); }; destination d_network_def_apache { syslog("172.128.83.90" transport("tcp") ip-protocol(4) port("16602") persist-name("to_syslogng_def_apache") template("${MESSAGE} ${TAGS}\n")); }; I sat up the server like this: filter apache_access { tags("acc001") }; log { source(s_network); filter(apache_access); destination(d_apache_access); }; Nothing in the logs :S I can see via tcpdump this: ${MESSAGE} part and then the configured ${TAGS} which is: acc001,.source.s_access But the filter doesnt work on the server side. Why does it logs the fsouorce name and why doenst find the TAG? Thanks, Robert 2017-06-19 15:15 GMT+02:00 Fabien Wernli <wernli@in2p3.fr>:
Hi,
On Mon, Jun 19, 2017 at 01:55:51PM +0200, Sandbox wrote:
I would like to transfer/store apache logs, but for some reason i cant tag them:
Tags are available internally in the $TAGS macro. Tags are not implicitly sent over when using the syslog protocol, unless you explicitly instruct syslog-ng to do so.
Try adding the $TAGS macro to your template, or add a .SDATA prefix if you're using RFC5424
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, You can't send tags from one server to the other without losing the ability to use them as tags (in filters). What you can do is send name-value pairs, and use those as filters. To do that use rfc5424 and the .SDATA prefix in the key. cheers
or alternatively you could send .SDATA.syslog.TAGS and use a regex match on that macro on the receiver
participants (2)
-
Fabien Wernli
-
Sandbox