Starting a discussion about using blackbox in the syslog-release and logsearch

[bandesz]

Hi,

As probably some of you know there is a blackbox component in the syslog-release which is enabled by default and also enabled in cf-deployment (if you enable the syslog opsfile). The blackbox component tails all logs files under /var/vcap/sys/log/*/* and forwards these logs to the rsyslog daemon. There is also an other rule higher up to exclude all logs tagged "vcap.*".
Blackbox essentially replaces logger.

The problem is that the new logs won't be tagged with vcap.component_name but only with component_name.

Do you have any plans to support this setup? Do you know about operators who are in a similar situation? Currently we have a fork of this repository and had to amend some Logstash filter to not expect "vcap." prefixes.