This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Tagging messages

You can label the messages with custom tags. Tags are simple labels, identified by their names, which must be unique. Currently AxoSyslog can tag a message at the following places:

  • At the source when the message is received.
    • AxoSyslog automatically adds the .source.<id_of_the_source_statement> tag to every incoming message.
    • You can add custom tag using the tags() option of the source.

    • AxoSyslog 4.7 and newer automatically adds the following tags if it encounters errors when parsing syslog messages.

      • message.utf8_sanitized: The message is not valid UTF-8.
      • syslog.missing_timestamp: The message has no timestamp.
      • syslog.invalid_hostname: The hostname field doesn’t seem to be valid, for example, it contains invalid characters. For details on the valid characters, see the check-hostname() global option.
      • syslog.missing_pri: The priority (PRI) field is missing from the message.
      • syslog.unexpected_framing: An octet count was found in front of the message, suggested invalid framing.
      • syslog.rfc3164_missing_header: The date and the host are missing from an RFC3164-formatted message - practically that’s the entire header of RFC3164-formatted messages.
      • syslog.rfc5424_unquoted_sdata_value: An RFC5424 message contains an incorrectly quoted SDATA field.
      • message.parse_error: Some other parsing error occurred.
  • When the message matches a pattern in the pattern database. For details on using the pattern database, see Using pattern databases, for details on creating tags in the pattern database, see The pattern database format.
  • Tags can be also added and deleted using rewrite rules. For details, see Add and delete tags.

You can use the tags() filter to select only specific messages.

  • Tagging messages and also filtering on the tags is very fast, much faster than other types of filters.
  • Tags are available locally, that is, if you add tags to a message on the client, these tags will not be available on the server.
  • To include the tags in the message, use the ${TAGS} macro in a template. Alternatively, if you are using the IETF-syslog message format, you can include the ${TAGS} macro in the .SDATA.meta part of the message. Note that the ${TAGS} macro is available only in AxoSyslog 3.1.1 and later.

For an example on tagging, see Example: Adding tags and filtering messages with tags.