[syslog-ng] grouping of sources
Balazs Scheidler
bazsi at balabit.hu
Sun Feb 15 10:31:19 CET 2009
On Mon, 2009-02-09 at 11:36 -0500, Joe Shaw wrote:
> Hi,
>
> On Sun, Feb 8, 2009 at 10:08 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> > Interesting idea. The only similar functionality what we have right now
> > is the use of 'catch-all' flag. A catch-all log rule behaves as if _all_
> > sources would be specified. This is much less flexible what you have
> > described though.
> >
> > Is this enough for you?
>
> Not exactly; I'd like some sources (such as internal()) to go to a
> local file and not over the wire to the centralized host.
>
> Might be something to consider adding to a future roadmap... I'm sure
> it's not long enough. ;)
I'll see what I can do about this. What about the following idea:
* make it possible to mark sources with tags
* create a filter that matches tags
Then you could do something like:
source s_udp { udp(); tags(net); };
source s_tcp { tcp(); tags(net); };
filter f_net_messages { tags(net); };
log { flags(catch-all); filter(f_net_messages); destination(...); };
I'd have to work on the syntax a bit more, but I hope the general idea
is visible.
--
Bazsi
More information about the syslog-ng
mailing list