[syslog-ng] Using source tags in rewrites?

syslogng at feystorm.net syslogng at feystorm.net
Wed Aug 11 02:04:15 CEST 2010


Ok, I see what youre doing now :-)
There's another simple solution that pops into mind; the file() source 
driver supports the 'program-override()' option. Basically any logs read 
from that file would have whatever $PROGRAM you specified. And that 
$PROGRAM macro will be propagated from the client syslog-ng to your server.

-Patrick

Sent: Tuesday, August 10, 2010 5:12:10 PM
From: Steve Barnes <steve at echo.id.au>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Using source tags in rewrites?
>> To what end?
>> Rewrites are used to change or set key/value pairs. Flags arent key/value
>> pairs, theyre flags, meaning you either have the flag, or you dont. Think
>> of it this way; each incoming log statment has a list of flag names
>> associated with it, you can see if a certain flag name is in that list,
>> but thats it.
>> It would help to know what youre trying to accomplish though.
>> -Patrick
>>     
>
> Patrick
>
> I have ~70 different log files containing the results of a daily
> processing cycle. None of these log files are Syslog formatted. Unlike an
> Apache log file entry, each line of these log files is ambiguous - unless
> you referred to a portion of the file name, you'd have no way to
> differentiate a line from one file with another line from another file.
>
> The plan is to have SyslogNG set up as a client on a machine, tracking the
> contents of these files as they are updated. Interesting lines are
> filtered on the client with matching lines pushed across the network to a
> SyslogNG server. The server is responsible for processing lines against a
> pattern DB and then stuffing the useful information into a PostgreSQL
> backend.
>
> What I was hoping to do on the client side is tag each source in
> syslog-ng.conf with a meaningful name and then include that tag in either
> the IETF structured data or, by using a rewrite, prefix each log line
> before transmission with the tag value. This would give the SyslogNG
> server at the other end someway to differentiate messages as they arrived.
>
> Further reading yesterday uncovered the following in the 3.2 PE
> documentation:
>
> http://www.balabit.com/dl/html/syslog-ng-pe-v3.2-guide-admin-en.html/tagging_messages.html
>
> "To include the tags in the message, use the $TAGS macro in a template.
> Alternatively, if you are using the IETF-syslog message format, you can
> include the $TAGS macro in the .SDATA.meta part of the message. Note that
> the $TAGS macro is available only in syslog-ng PE 3.1.1 and later."
>
> So it looks like I've found the answer to my question? Before I start
> along the path seeking purchase approval for SyslogNG PE, I wanted to make
> sure there was no other way to do what I hand in mind?
>
> Cheers
>
> Steve
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100810/5fd77c67/attachment.htm 


More information about the syslog-ng mailing list