[syslog-ng] Problem using tags with syslog-ng 3.1
Martin Holste
mcholste at gmail.com
Thu Apr 1 15:39:45 CEST 2010
Please step in and correct me if I'm wrong here, but according to Marci's
blog post at
http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html it
would appear that this is possible using different syntax. Namely, using
tags(".source.log2") in your filter.
On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
> Hi,
>
> I'm afraid that you may misunderstand the working of this feature. The tag
> field exists only within a running syslog-ng and just a virtual part of the
> message. The sent message doesn't contain tag fields that's why you cannot
> filter these tags with another syslog-ng.
>
> However, I can suggest you an other solution:
> use the program_override option. This will override the $PROGRAM macro with
> the specified value.
> For example:
> source s_app {
> file("/var/log/log1.log" program_override("/var/log/log1.log"));
> file("/opt//log/log2.log" tags("log2") program_override("
> /opt/log/log2.log"));
> file("/opt/log/log3.log" tags("log3") program_override("/opt/log/log3.log"
> ));
> };
>
> After that, you can use a specified program filter on the central logging
> server side to separate them.
>
> 2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
>
> Hi all,
> I got a problem to get the "tags" feature working on our syslog-ng 3.1. I
> want to collect messages from 3 different files on the
> source system and want to separate them again on the central logging
> server.
> The client configuration looks like this:
>
> ----------------------------------------------------------------------------------------------------
> source s_app {
> file("/var/log/log1.log");
> file("/opt//log/log2.log" tags("log2"));
> file("/opt/log/log3.log" tags("log3"));
> };
> options {
> };
>
> destination d_app { tcp("logrelay01.domain.com" port(13074)); };
>
> log {
> source(s_app);
> destination(d_app);
> };
>
> ----------------------------------------------------------------------------------------------------
>
> The log relay does nothing than forward the messages to the central logging
> server with the following config:
>
> ----------------------------------------------------------------------------------------------------
> options {
> time_sleep(20);
> log_fifo_size(1000);
> dns_cache(2000);
> dns_cache_expire(87600);
> keep_hostname(yes);
> };
>
> source s_remote { tcp(ip("0.0.0.0") port(13074)); };
>
> destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };
>
> log {
> source(s_remote);
> destination(remote_tcp);
> };
>
> ----------------------------------------------------------------------------------------------------
>
> On the central logging server I use filters to separate the logfiles again:
>
> ----------------------------------------------------------------------------------------------------
> @version: 3.0
> include "/opt/config/syslogng-inc.conf";
>
> options {
> time_sleep(20);
> dns_cache(2000);
> dns_cache_expire(87600);
> keep_hostname(yes);
> create_dirs(yes);
> };
>
> source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); };
> ============================================
>
> This is the confoguration in /opt/config/syslogng-inc.conf
> # Filter
> filter f_log1 { host("web00(09|10)"); };
> filter f_log2 { host("web00(09|10)") and tags("log2"); };
> filter f_log3 { host("web00(09|10)") and tags("log3"); };
>
> #Configuration for Destinations
> destination d_log1 { file("/var/logs/log1/combined.log" perm(0755)
> dir_perm(0755)); };
> destination d_log2 { file("/var/logs/log2/combined.log" perm(0755)
> dir_perm(0755)); };
> destination d_log3 { file("/var/logs/log3/combined.log" perm(0755)
> dir_perm(0755)); };
> # Logfile log1
> log {
> source(s_remote);
> filter(f_log1);
> destination(d_log1);
> };
>
> # Logfile log2
> log {
> source(s_remote);
> filter(f_log2);
> destination(d_log2);
> };
>
> # Logfile log3
> log {
> source(s_remote);
> filter(f_log3);
> destination(d_log3);
> };
>
> ----------------------------------------------------------------------------------------------------
>
> Does anybody have an idea, why it does not work as expected.
>
> Thanks for any suggestion and/or idea.
>
> Best regards Stefan
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> --
> pzolee
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100401/35ea72e1/attachment-0001.htm
More information about the syslog-ng
mailing list