[syslog-ng] Remote tags

Tue Nov 25 15:20:17 CET 2014

Thank you, Sascha for sharing your example of config.

That is exactly how I set it up after Fabian's answer.

I used .SDATA.meta at 11111.tags to store my tags and on the server they were seen as a string of comma separated values, so to match particular ones I used filters like this

filter f_example
{
       match( "example" value( ".SDATA.meta at 11111.tags" ) );
}

Later I realized that I am trying to invent my own wheel because what I was trying to achieve is to separate logs generated by system programs from the logs generated by userland programs. Now I am filtering them based on facility.

But I am still using .SDATA.meta. On every computer I set this

rewrite r_is_computer
{
        set( "true" value( ".SDATA.meta at 11111.is_computer" ) );
};

In this way on server end I can easily distinguish logs generated by computers from logs generated by different network equipment and I do not have to use IP based filtering.

Nikolay.

----- Original Message -----
From: "Sascha Lucas" <Sascha.Lucas at gisa.de>
To: syslog-ng at lists.balabit.hu
Sent: Tuesday, November 25, 2014 2:34:00 AM GMT -05:00 US/Canada Eastern
Subject: Re: [syslog-ng] Remote tags

Hi Nikolay,

> Could anyone here advice me if it is possible to set a tags() on a log
> entry on one machine, send this log message to a remote syslog-ng and
> use this tags() in a filter on the remote machine?

As Fabien pointed out, it is possible. I'm doing something similar using rfc5424 protocol:

The first thing I do is rewriting the log to append local scoped macro data into the sdata structure (here I'm using $SOURCEIP, where you want $tags). When I read rfc5424 I remember, that there are custom data-structures where you can store your tags (I decided to abuse .SDATA.origin.ip for my purpose):

rewrite r_sdata {
        set("$SOURCEIP" value(".SDATA.origin.ip"));
};

The second thing is to use the syslog-driver (capable of sending and receiving rfc5424):

destination d_logserver { syslog("X.X.X.X" transport("udp")); };

And finely the log line

log { source(s_network); source(src); rewrite(r_sdata); destination(d_logserver); };

On the server I have a source capable of rfc5424:

source s_network { syslog( transport("udp") flags(validate-utf8) so-rcvbuf(2097152)); };

The transferred Information is directly available on the server in the macro ${.SDATA.origin.ip}. Your tags may be a bit special, because multiple tags would be transferred as a comma separated string. Matching on a single tag would probably mean to rewrite the log again. This time with something like set("${.SDATA.your.structure}. " value("tags"));.

HTH, Sascha.

Aufsichtsratsvorsitzender: Herbert Vogel
Geschäftsführung: Michael Krüger
Sitz der Gesellschaft: Halle/Saale
Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414
UST-ID-Nr. DE 158253683

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq