[syslog-ng] Problem using tags with syslog-ng 3.1
Zoltán Pallagi
pzolee at balabit.hu
Thu Apr 1 17:40:38 CEST 2010
Martin Holste wrote:
> Ok, so '.sources' has nothing to do with user-provided tags, but in
> his example Marci uses:
>
> source s_tcp2 {
> tcp(ip(192.168.1.2) port(1514) tags("tcp", "windows));
> };
>
> #Match on tags "tcp" or "udp"
> filter f_net {
> tags("tcp", "udp");
> };
>
> Which seems to imply that arbitrary user tags can be set and then
> matched on in a filter later. So, it seems what is missing from
> Stefan's config was:
>
> source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)
> tags("log2"); };
>
> Which would allow his later filter statement
>
> filter f_log2 { host("web00(09|10)") and tags("log2"); };
>
> to succeed. Right?
Yes and no. It's a correct way to use tagging on sources.
And no, because his original aim wasn't that.
He wanted to mark logs coming from different source files of the client
by tags and than to recreate almost the same file and log structure on
the server by these tags.
In your solution he would have only one tag for all the messages coming
from different sources of client.
>
> On Thu, Apr 1, 2010 at 8:37 AM, Zoltán Pallagi <pzolee at balabit.hu
> <mailto:pzolee at balabit.hu>> wrote:
>
> Martin Holste wrote:
>> Please step in and correct me if I'm wrong here, but according to
>> Marci's blog post at
>> http://marci.blogs.balabit.com/2009/05/tag-support-in-syslog-ng.html
>> it would appear that this is possible using different syntax.
>> Namely, using tags(".source.log2") in your filter.
> No, you are using a wrong tag name.
> In this case, you can use the following tag:
> tags(".source.s_app")
>
> this is an on-the-fly generated tag,every incoming message has it
> one given with the following formula: ".source.<sourcename>"
>>
>> On Wed, Mar 31, 2010 at 12:57 PM, Zoltán Pallagi
>> <pzolee at balabit.hu <mailto:pzolee at balabit.hu>> wrote:
>>
>> Hi,
>>
>> I'm afraid that you may misunderstand the working of this
>> feature. The tag field exists only within a running syslog-ng
>> and just a virtual part of the message. The sent message
>> doesn't contain tag fields that's why you cannot filter these
>> tags with another syslog-ng.
>>
>> However, I can suggest you an other solution:
>> use the program_override option. This will override the
>> $PROGRAM macro with the specified value.
>> For example:
>> source s_app {
>> file("/var/log/log1.log" program_override("/var/log/log1.log"));
>> file("/opt//log/log2.log" tags("log2")
>> program_override("/opt/log/log2.log"));
>> file("/opt/log/log3.log" tags("log3")
>> program_override("/opt/log/log3.log"));
>> };
>>
>> After that, you can use a specified program filter on the
>> central logging server side to separate them.
>>
>> 2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
>>> Hi all,
>>> I got a problem to get the "tags" feature working on our
>>> syslog-ng 3.1. I want to collect messages from 3 different
>>> files on the
>>> source system and want to separate them again on the central
>>> logging server.
>>> The client configuration looks like this:
>>> ----------------------------------------------------------------------------------------------------
>>> source s_app {
>>> file("/var/log/log1.log");
>>> file("/opt//log/log2.log" tags("log2"));
>>> file("/opt/log/log3.log" tags("log3"));
>>> };
>>> options {
>>> };
>>>
>>> destination d_app { tcp("logrelay01.domain.com
>>> <http://logrelay01.domain.com>" port(13074)); };
>>>
>>> log {
>>> source(s_app);
>>> destination(d_app);
>>> };
>>> ----------------------------------------------------------------------------------------------------
>>>
>>> The log relay does nothing than forward the messages to the
>>> central logging server with the following config:
>>> ----------------------------------------------------------------------------------------------------
>>> options {
>>> time_sleep(20);
>>> log_fifo_size(1000);
>>> dns_cache(2000);
>>> dns_cache_expire(87600);
>>> keep_hostname(yes);
>>> };
>>>
>>> source s_remote { tcp(ip("0.0.0.0") port(13074)); };
>>>
>>> destination remote_tcp { tcp("centrallog01.domain.com
>>> <http://centrallog01.domain.com>" port(13074)); };
>>>
>>> log {
>>> source(s_remote);
>>> destination(remote_tcp);
>>> };
>>> ----------------------------------------------------------------------------------------------------
>>>
>>> On the central logging server I use filters to separate the
>>> logfiles again:
>>> ----------------------------------------------------------------------------------------------------
>>> @version: 3.0
>>> include "/opt/config/syslogng-inc.conf";
>>>
>>> options {
>>> time_sleep(20);
>>> dns_cache(2000);
>>> dns_cache_expire(87600);
>>> keep_hostname(yes);
>>> create_dirs(yes);
>>> };
>>>
>>> source s_remote { tcp (ip("0.0.0.0") port(13074)
>>> keep-alive(yes)); };
>>> ============================================
>>>
>>> This is the confoguration in /opt/config/syslogng-inc.conf
>>> # Filter
>>> filter f_log1 { host("web00(09|10)"); };
>>> filter f_log2 { host("web00(09|10)") and tags("log2"); };
>>> filter f_log3 { host("web00(09|10)") and tags("log3"); };
>>>
>>> #Configuration for Destinations
>>> destination d_log1 { file("/var/logs/log1/combined.log"
>>> perm(0755) dir_perm(0755)); };
>>> destination d_log2 { file("/var/logs/log2/combined.log"
>>> perm(0755) dir_perm(0755)); };
>>> destination d_log3 { file("/var/logs/log3/combined.log"
>>> perm(0755) dir_perm(0755)); };
>>> # Logfile log1
>>> log {
>>> source(s_remote);
>>> filter(f_log1);
>>> destination(d_log1);
>>> };
>>>
>>> # Logfile log2
>>> log {
>>> source(s_remote);
>>> filter(f_log2);
>>> destination(d_log2);
>>> };
>>>
>>> # Logfile log3
>>> log {
>>> source(s_remote);
>>> filter(f_log3);
>>> destination(d_log3);
>>> };
>>> ----------------------------------------------------------------------------------------------------
>>>
>>> Does anybody have an idea, why it does not work as expected.
>>>
>>> Thanks for any suggestion and/or idea.
>>>
>>> Best regards Stefan
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>
>>
>> --
>> pzolee
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>> ------------------------------------------------------------------------
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> --
> pzolee
>
>
>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
pzolee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100401/4ab740aa/attachment-0001.htm
More information about the syslog-ng
mailing list