[syslog-ng] Problem using tags with syslog-ng 3.1

Wed Mar 31 20:57:51 CEST 2010

Hi,

I'm afraid that you may misunderstand the working of this feature. The 
tag field exists only within a running syslog-ng and just a virtual part 
of the message. The sent message doesn't contain tag fields that's why 
you cannot filter these tags with another syslog-ng.

However, I can suggest you an other solution:
use the program_override option. This will override the $PROGRAM macro 
with the specified value.
For example:
source s_app {
file("/var/log/log1.log" program_override("/var/log/log1.log"));
file("/opt//log/log2.log" tags("log2") 
program_override("/opt/log/log2.log"));
file("/opt/log/log3.log" tags("log3") 
program_override("/opt/log/log3.log"));
};

After that, you can use a specified program filter on the central 
logging server side to separate them.

2010.03.31. 16:39 keltezéssel, Hoenig, Stefan, VF-Group írta:
> Hi all,
> I got a problem to get the "tags" feature working on our syslog-ng 
> 3.1. I want to collect messages from 3 different files on the
> source system and want to separate them again on the central logging 
> server.
> The client configuration looks like this:
> ----------------------------------------------------------------------------------------------------
> source s_app {
> file("/var/log/log1.log");
> file("/opt//log/log2.log" tags("log2"));
> file("/opt/log/log3.log" tags("log3"));
> };
> options {
> };
>
> destination d_app { tcp("logrelay01.domain.com" port(13074)); };
>
> log {
> source(s_app);
> destination(d_app);
> };
> ----------------------------------------------------------------------------------------------------
> The log relay does nothing than forward the messages to the central 
> logging server with the following config:
> ----------------------------------------------------------------------------------------------------
> options {
> time_sleep(20);
> log_fifo_size(1000);
> dns_cache(2000);
> dns_cache_expire(87600);
> keep_hostname(yes);
> };
>
> source s_remote { tcp(ip("0.0.0.0") port(13074)); };
> destination remote_tcp { tcp("centrallog01.domain.com" port(13074)); };
> log {
> source(s_remote);
> destination(remote_tcp);
> };
> ----------------------------------------------------------------------------------------------------
> On the central logging server I use filters to separate the logfiles 
> again:
> ----------------------------------------------------------------------------------------------------
> @version: 3.0
> include "/opt/config/syslogng-inc.conf";
> options {
> time_sleep(20);
> dns_cache(2000);
> dns_cache_expire(87600);
> keep_hostname(yes);
> create_dirs(yes);
> };
>
> source s_remote { tcp (ip("0.0.0.0") port(13074) keep-alive(yes)); };
> ============================================
> This is the confoguration in /opt/config/syslogng-inc.conf
> # Filter
> filter f_log1 { host("web00(09|10)"); };
> filter f_log2 { host("web00(09|10)") and tags("log2"); };
> filter f_log3 { host("web00(09|10)") and tags("log3"); };
> #Configuration for Destinations
> destination d_log1 { file("/var/logs/log1/combined.log" perm(0755) 
> dir_perm(0755)); };
> destination d_log2 { file("/var/logs/log2/combined.log" perm(0755) 
> dir_perm(0755)); };
> destination d_log3 { file("/var/logs/log3/combined.log" perm(0755) 
> dir_perm(0755)); };
> # Logfile log1
> log {
> source(s_remote);
> filter(f_log1);
> destination(d_log1);
> };
> # Logfile log2
> log {
> source(s_remote);
> filter(f_log2);
> destination(d_log2);
> };
> # Logfile log3
> log {
> source(s_remote);
> filter(f_log3);
> destination(d_log3);
> };
> ----------------------------------------------------------------------------------------------------
> Does anybody have an idea, why it does not work as expected.
> Thanks for any suggestion and/or idea.
> Best regards Stefan
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>    

-- 
pzolee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100331/35413862/attachment-0001.htm 