Tagging messages

You can label the messages with custom tags. Tags are simple labels, identified by their names, which must be unique. Currently AxoSyslog can tag a message at the following places:

  • At the source when the message is received.
    • AxoSyslog automatically adds the .source.<id_of_the_source_statement> tag to every incoming message.
    • You can add custom tag using the tags() option of the source.

    • AxoSyslog 4.7 and newer automatically adds the following tags if it encounters errors when parsing syslog messages.

      • message.utf8_sanitized: The message is not valid UTF-8.
      • syslog.missing_timestamp: The message has no timestamp.
      • syslog.invalid_hostname: The hostname field doesn’t seem to be valid, for example, it contains invalid characters. For details on the valid characters, see the check-hostname() global option.
      • syslog.missing_pri: The priority (PRI) field is missing from the message.
      • syslog.unexpected_framing: An octet count was found in front of the message, suggested invalid framing.
      • syslog.rfc3164_missing_header: The date and the host are missing from an RFC3164-formatted message - practically that’s the entire header of RFC3164-formatted messages.
      • syslog.rfc5424_unquoted_sdata_value: An RFC5424 message contains an incorrectly quoted SDATA field.
      • message.parse_error: Some other parsing error occurred.
  • When the message matches a pattern in the pattern database. For details on using the pattern database, see Using pattern databases, for details on creating tags in the pattern database, see The pattern database format.
  • Tags can be also added and deleted using rewrite rules. For details, see Add and delete tags.

You can use the tags() filter to select only specific messages.

  • Tagging messages and also filtering on the tags is very fast, much faster than other types of filters.
  • Tags are available locally, that is, if you add tags to a message on the client, these tags will not be available on the server.
  • To include the tags in the message, use the ${TAGS} macro in a template. Alternatively, if you are using the IETF-syslog message format, you can include the ${TAGS} macro in the .SDATA.meta part of the message. Note that the ${TAGS} macro is available only in AxoSyslog 3.1.1 and later.

For an example on tagging, see Example: Adding tags and filtering messages with tags.

Last modified April 19, 2024: [4.7] Documents parser error tags (446cd3e)