[syslog-ng] Problem using tags with syslog-ng 3.1

Balazs Scheidler bazsi at balabit.hu
Sun Apr 4 11:12:38 CEST 2010 

On Fri, 2010-04-02 at 15:50 -0700, Lance Laursen wrote:
> On Fri, Apr 2, 2010 at 1:25 AM, SZALAY Attila <sasa at balabit.hu> wrote:
>         Hi All!
>         
>         On Thu, 2010-04-01 at 11:37 -0600, Martin Holste wrote:
>         > Ok, I think I see what you're saying: the tag only exists on
>         the local
>         > box and does not get forwarded in the message.  You were
>         saying you
>         > have to overwrite the original program with some other value
>         so that
>         > the tag is permanent and will survive multiple relays.
>          Sorry for the
>         > confusion.
>         
>         
>         Try to think about the tags as a sticky note on a package.
>         When I want
>         to create a lot of uniform white bag I put a sticky note into
>         it, so I
>         can make a difference between them. But after I write the
>         correct
>         adresses I take off the notes from it. In the example the tag
>         is not
>         surviving the relays, He put the tag _value_ into an another
>         field. Just
>         like if I put some information into the destination address to
>         my mail.
>         
>         But I think that the idea of the persistant tags is great. And
>         in the
>         new syslog protocol there is space for it. I will create a
>         feature
>         request for it. :)
>         
>         
>  
> I agree. When tagging was first announced I was disappointed that they
> would not survive relays. Program_override is a way to 'tag' relayed
> messages, but it seems like a work-around (just like, say, using
> templates to add a custom string before $MSG to filter for at your
> receiving host). In a large setup, matching by host or other means is
> not manageable (especially if you want your configs to be multi-site
> compatible), so I think persistent tags would be a useful feature when
> sending from syslog-ng to syslog-ng.

True enough, it wasn't our original intention with the tags filter, but
that's how open source works: we create a feature and you have a new
idea based on that.

We already had a $TAGS macro that at least makes it possible to include
the set of TAGS in a message template, making it easier to transfer it
to the other side. I've ported this functionality to OSE 3.1 with this
patch:

commit 0fed21453d7adb2a2befd534d1dea72b1d5599ee
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Sun Apr 4 11:09:22 2010 +0200

    template: added TAGS macro support
    
    which expands to a set of comma separated tag values



Something like this would work for instance:

rewrite r_tags { set("$TAGS" value(".SDATA.local.tags")); };

Which would include the tags value in the local.tags structured data
member (when using the new syslog protocol). Of course you could also
include the tags value in the message itself if you need to stick with
the legacy BSD syslog.

Transferring the complete message _with_ all metainformation is in our
plans. (e.g. creating a serialized representation of a message and
transfer that)


-- 
Bazsi

More information about the syslog-ng mailing list