Last year I wrote an article on how to forward vCenter Server logs to a remote syslog server using the built in syslog-ng client in the VCSA. A few weeks back, I received an interesting email from Michael White sharing details about adding a "tag" or more specifically, adding a string prefix to each syslog entry being forwarded. This was interesting as it enables a user to easily search for a specific log entry based on a "tag" and comes really in handy when you have multiple log sources being forwarded from the same host. An example of this would be the various logs from a vCenter Server such as vpxd, vws, inventoryservice, etc. which all have their own individual logs coming from the same host.
Within the Syslog-ng client configuration, you can specify the log_prefix() option and the string you wish to prefix a given log source. The tag has a specific syntax that must contain a : (colon) and a whitespace after the string (e.g. "VC_APP: ").
Using the vCenter Server as example, we could add the following tags:
After restarting the syslog-ng client for the changes to going into effect, you can head over to your syslog server to view the updated syslog entries. In the screenshot below, we can see we have log sources from both our VC_APP (vpxd.log) and VC_IS (ds.log) entries as specified in our syslog-ng client configurations.
Note: For newer versions of syslog-ng, program_override() is used instead of log_prefix(). The syntax for that would be program_override("VC_APP").
I want to thank Michael for sharing this cool tidbit!
Akshatha says
thanks for the info. How do i add log prefix in syslog-ng_conf if i wnat the string "ABC" to be added if the $program sending message is httpd?
i have my syslog.conf reading messages from
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal()
and message is sent as
template t_filetmpl { template("$ISODATE $FACILITY $HOST $PROGRAM[$PID]: $LEVEL $MSGONLY\n"); template_escape(no); };
destination d_mesg { file("/var/log/messages" template(t_filetmpl)); };
log { source(s_syslogng); source (s_internal);
destination(d_mesg); };