[syslog-ng] Appending values to Structured-Data

Balazs Scheidler bazsi at balabit.hu
Wed Mar 11 22:54:05 CET 2009


On Wed, 2009-03-11 at 11:59 +0100, Christian Haase wrote:
> Hi,
> 
> I want to send apache2 messages via tcp to my syslog server using
> syslog-ng3 with the IETF-Message format.
> 
> I specified a source which uses file("/var/log/apache2/access.log"
> flags(no-parse) follow-freq(5)) to fetch the log data. So the orginating
> apache message keeps untouched and can be found in the MSG part.
> 
> This message is packed into the IETF-Frame with the destination
> syslog("..." transport("tls") ... )
> 
> On server-side I want to "unpack" the message again to reconstruct the
> original format of the access.log.
> 
> The main problem is to decide the source of the message to write it into
> the right file (multiple webservers will log this way). I wanted to
> solve this problem by setting the unused IETF-Message Headers to the
> values the identify them. For example I wanted to append a string like
> "www=my.web.site" to the Structured Data. These information then would
> be interpreted and the corresponding file will be used.
> 
> Is there a way the set these fields and use them on the destination
> server in filters?

unfortunately it is not currently possible to change structured-data
inside syslog-ng. There's some infrastructure for it, but the feature is
not completed. The current data structure used to hold the structured
data information is not really good for changing SD values, it is more
used for lookup.

You can reference Structured Data values using the macro name
convention:

.SDATA.<SDID>.<SDPARAM>

e.g. ".SDATA.meta.sequenceId" would expand to the value of the
sequenceId parameter in the "meta" block.

On the other hand I don't see why you couldn't use the $HOST macro on
the server side. syslog-ng prepends a nice syslog header to each
outgoing message (even those which were read using no-parse) and there
it includes the hostname information.

Or you wanted to include virthost information?

-- 
Bazsi




More information about the syslog-ng mailing list