[syslog-ng] Problem using tags with syslog-ng 3.1

Martin Holste mcholste at gmail.com
Thu Apr 1 16:58:23 CEST 2010 

Ok, so '.sources' has nothing to do with user-provided tags, but in his
example Marci uses:

source s_tcp2 {
tcp(ip(192.168.1.2) port(1514) tags("tcp", "windows));
};

#Match on tags "tcp" or "udp"
filter f_net {
 tags("tcp", "udp");
};

Which seems to imply that arbitrary user tags can be set and then matched on
in a filter later.  So, it seems what is missing from Stefan's config was:

source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)
tags("log2"); };

Which would allow his later filter statement

filter f_log2 { host("web00(09|10)") and tags("log2"); };

to succeed.  Right?

On Thu, Apr 1, 2010 at 8:37 AM, Zoltán Pallagi <pzolee at balabit.hu> wrote:

>  Martin Holste wrote:
>
> Please step in and correct me if I'm wrong here, but according to Marci's
> blog post at
> http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html it
> would appear that this is possible using different syntax.  Namely, using
> tags(".source.log2") in your filter.
>
> No, you are using a wrong tag name.
> In this case, you can use the following tag:
> tags(".source.s_app")
>
> this is an on-the-fly generated tag,every incoming message has it one given
> with the following formula: ".source.<sourcename>"
>
>
> On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi <pzolee at balabit.hu>wrote:
>
>> Hi,
>>
>> I'm afraid that you may misunderstand the working of this feature. The tag
>> field exists only within a running syslog-ng and just a virtual part of the
>> message. The sent message doesn't contain tag fields that's why you cannot
>> filter these tags with another syslog-ng.
>>
>> However, I can suggest you an other solution:
>> use the program_override option. This will override the $PROGRAM macro
>> with the specified value.
>> For example:
>> source s_app {
>> file("/var/log/log1.log" program_override("/var/log/log1.log"));
>> file("/opt//log/log2.log" tags("log2") program_override("
>> /opt/log/log2.log"));
>> file("/opt/log/log3.log" tags("log3") program_override("
>> /opt/log/log3.log"));
>> };
>>
>> After that, you can use a specified program filter on the central logging
>> server side to separate them.
>>
>> 2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
>>
>>  Hi all,
>> I got a problem to get the "tags" feature working on our syslog-ng 3.1. I
>> want to collect messages from 3 different files on the
>> source system and want to separate them again on the central logging
>> server.
>> The client configuration looks like this:
>>
>> ----------------------------------------------------------------------------------------------------
>> source s_app {
>> file("/var/log/log1.log");
>> file("/opt//log/log2.log" tags("log2"));
>> file("/opt/log/log3.log" tags("log3"));
>> };
>> options {
>> };
>>
>> destination d_app { tcp("logrelay01.domain.com" port(13074)); };
>>
>> log {
>> source(s_app);
>> destination(d_app);
>> };
>>
>> ----------------------------------------------------------------------------------------------------
>>
>> The log relay does nothing than forward the messages to the central
>> logging server with the following config:
>>
>> ----------------------------------------------------------------------------------------------------
>> options {
>> time_sleep(20);
>> log_fifo_size(1000);
>> dns_cache(2000);
>> dns_cache_expire(87600);
>> keep_hostname(yes);
>> };
>>
>> source s_remote { tcp(ip("0.0.0.0") port(13074)); };
>>
>> destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };
>>
>> log {
>> source(s_remote);
>> destination(remote_tcp);
>> };
>>
>> ----------------------------------------------------------------------------------------------------
>>
>> On the central logging server I use filters to separate the logfiles
>> again:
>>
>> ----------------------------------------------------------------------------------------------------
>> @version: 3.0
>>  include "/opt/config/syslogng-inc.conf";
>>
>> options {
>> time_sleep(20);
>> dns_cache(2000);
>> dns_cache_expire(87600);
>> keep_hostname(yes);
>> create_dirs(yes);
>> };
>>
>> source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); };
>>  ============================================
>>
>> This is the confoguration in /opt/config/syslogng-inc.conf
>> # Filter
>> filter f_log1 { host("web00(09|10)"); };
>> filter f_log2 { host("web00(09|10)") and tags("log2"); };
>> filter f_log3 { host("web00(09|10)") and tags("log3"); };
>>
>> #Configuration for Destinations
>> destination d_log1 { file("/var/logs/log1/combined.log" perm(0755)
>> dir_perm(0755)); };
>> destination d_log2 { file("/var/logs/log2/combined.log" perm(0755)
>> dir_perm(0755)); };
>> destination d_log3 { file("/var/logs/log3/combined.log" perm(0755)
>> dir_perm(0755)); };
>>  # Logfile log1
>> log {
>> source(s_remote);
>> filter(f_log1);
>> destination(d_log1);
>> };
>>
>> # Logfile log2
>> log {
>> source(s_remote);
>> filter(f_log2);
>> destination(d_log2);
>> };
>>
>> # Logfile log3
>> log {
>> source(s_remote);
>> filter(f_log3);
>> destination(d_log3);
>> };
>>
>> ----------------------------------------------------------------------------------------------------
>>
>> Does anybody have an idea, why it does not work as expected.
>>
>> Thanks for any suggestion and/or idea.
>>
>> Best regards Stefan
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>> --
>> pzolee
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> ------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> --
> pzolee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100401/09a397f8/attachment-0001.htm

More information about the syslog-ng mailing list