Hi, list. Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log message to a remote syslog-ng and use this tags() in a filter on the remote machine? So that on machine 1: source src { internal( tags("computer", "test") ) }; destination rem { udp("example.org" port(514)); }; log { source(src); destination(rem) }; And on machine 2 (example.org): source rem { udp(ip("0.0.0.0") port(514)); }; filter f_tag_test{ tags("test") }; destination test_dest { file("/var/log/test.log"); }; log { source(rem); filter(f_tag_test); destination(test_dest) }; So, should I be able to read tags ("computer" and "test") set by machine 1 on machine 2?
Hi Nikolay, On Fri, Nov 21, 2014 at 04:31:58PM -0500, Nikolay P wrote:
Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log message to a remote syslog-ng and use this tags() in a filter on the remote machine?
This is not possible to send the contents of the TAGS macro using standard (rfc3164) syslog. However you could send them over using format-json, or using the new ietf (rfc5424) syslog by including it into structured data (SDATA). Here's the quote from the PE doc: "Note that the tags are not part of the log message and are not automatically transferred from a client to the server. For example, if a client uses a pattern database to tag the messages, the tags are not transferred to the server. A way of transferring the tags is to explicitly add them to the log messages using a template and the ${TAGS} macro, or to add them to the structured metadata part of messages when using the IETF-syslog message format. When sent as structured metadata, it is possible to reference to the list of tags on the central server, and for example, to add them to a database column." Cheers
Hi Nikolay,
Could anyone here advice me if it is possible to set a tags() on a log entry on one machine, send this log message to a remote syslog-ng and use this tags() in a filter on the remote machine?
As Fabien pointed out, it is possible. I'm doing something similar using rfc5424 protocol: The first thing I do is rewriting the log to append local scoped macro data into the sdata structure (here I'm using $SOURCEIP, where you want $tags). When I read rfc5424 I remember, that there are custom data-structures where you can store your tags (I decided to abuse .SDATA.origin.ip for my purpose): rewrite r_sdata { set("$SOURCEIP" value(".SDATA.origin.ip")); }; The second thing is to use the syslog-driver (capable of sending and receiving rfc5424): destination d_logserver { syslog("X.X.X.X" transport("udp")); }; And finely the log line log { source(s_network); source(src); rewrite(r_sdata); destination(d_logserver); }; On the server I have a source capable of rfc5424: source s_network { syslog( transport("udp") flags(validate-utf8) so-rcvbuf(2097152)); }; The transferred Information is directly available on the server in the macro ${.SDATA.origin.ip}. Your tags may be a bit special, because multiple tags would be transferred as a comma separated string. Matching on a single tag would probably mean to rewrite the log again. This time with something like set("${.SDATA.your.structure}. " value("tags"));. HTH, Sascha. Aufsichtsratsvorsitzender: Herbert Vogel Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.
participants (3)
-
Fabien Wernli
-
Lucas, Sascha
-
Nikolay P