[syslog-ng] preserving tags across the network

Matt Zagrabelny mzagrabe at d.umn.edu
Fri Nov 11 18:04:30 CET 2011


Hi,

I am trying to ship a bunch of apache log files across the network and
on the syslog-ng server side then break them into their individual
files again.

I am not sure the best way to do this, but it looks like tags might be helpful.

On my apache system I have the following snippets:

-----{syslog-ng client begin}-----

source s_apache_access {
  file("/var/log/apache2/access.log"
       tags("main_access")
      );
};

source s_apache_other_vhost_access {
  file("/var/log/apache2/other_vhost.log"
       tags("other_vhost_access")
      );
};

destination d_server {
                   syslog(
                          "10.0.0.1"
                          transport("tls")
                          port(6514)
                          tls(
                              peer-verify(required-trusted)
                              ca_dir('/etc/syslog-ng/ssl/ca.d')
                              key_file('/etc/syslog-ng/ssl/server.key')
                              cert_file('/etc/syslog-ng/ssl/server.crt')
                             )
                         );
};

log {
  source(s_apache_access);
  source(s_apache_other_vhost_access);
  destination(d_server);
};

-----{syslog-ng client end}-----

On my server I have the following:

-----{syslog-ng server begin}-----

source s_tls {
              syslog(
                     ip(0.0.0.0)
                     port(6514)
                     transport("tls")
                     tls(
                         peer-verify(required-trusted)
                         ca_dir('/etc/syslog-ng/ssl/ca.d')
                         key_file('/etc/syslog-ng/ssl/server.key')
                         cert_file('/etc/syslog-ng/ssl/server.crt')
                        )
                     max_connections(1000)
                     keep_hostname(yes)
                    );
};

filter f_main_apache_access {
  tags("main_access");
};

destination d_main_access {
  file("/var/log/apache2/access.log");
};

log {
  source(s_tls);
  filter(f_main_apache_access);
  destination(d_main_access);
};

-----{syslog-ng server end}-----

It doesn't look like the "tag" is being preserved through the network.
Does anyone know if tags is the right mechanism for splitting apart
(filtering) the aggregate stream coming in on the server?

Any other advice would be greatly appreciated.

Thanks!

-matt zagrabelny


More information about the syslog-ng mailing list