<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Balazs,<br>
<br>
I have done as you suggested and run syslolg-ng in debugging mode, same
syslog-ng.conf as before. It appears that the first entry line
(root.geocode_access) matches the filter but does not trigger the SQL
insert. However, if I reverse the order of the log{} definitions, then
it does work and the other one doesn't! I get different results
depending on the order of the two statements below. It looks like the
SQL insert only happens for the log definition that is last.<br>
<br>
log {<br>
source(s_sys);<br>
filter(f_geocode);<br>
parser(p_geocode);<br>
destination(d_geocode);<br>
};<br>
<br>
log {<br>
source(s_sys);<br>
filter(f_ut_access);<br>
parser(p_ut_access);<br>
destination(d_ut_access);<br>
};<br>
<br>
I think this is a bug. Would you please take a look?<br>
<br>
Thanks,<br>
Liam<br>
<br>
/usr/local/sbin/syslog-ng --foreground --verbose --debug --stderr -p
/var/run/syslogd.pid <br>
Running application hooks; hook='1'<br>
Running application hooks; hook='3'<br>
syslog-ng starting up; version='3.0.1'<br>
Database thread started;<br>
Incoming log entry; line='<14>obsidian: 2009-02-17
10:47:55,75.101.83.163,/hCi/KM35kk,root.geocode_access,INFO,san
francisco,"San Francisco, CA, US",37.77916,-122.420049\x0a'<br>
Filter rule evaluation begins; filter_rule='f_filter2'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='match',
filter_rule='f_filter2'<br>
Initializing destination file writer; template='/var/log/messages',
filename='/var/log/messages'<br>
Filter rule evaluation begins; filter_rule='f_filter3'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter3'<br>
Filter rule evaluation begins; filter_rule='f_filter4'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter4'<br>
Filter rule evaluation begins; filter_rule='f_filter5'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='level'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter5'<br>
Filter rule evaluation begins; filter_rule='f_filter6'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='AND'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='OR'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter6'<br>
Filter rule evaluation begins; filter_rule='f_filter7'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter7'<br>
Filter rule evaluation begins; filter_rule='f_filter8'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter8'<br>
Filter rule evaluation begins; filter_rule='f_geocode'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter node evaluation result; filter_result='match',
filter_type='filter(f_obsidian)'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='match',
filter_rule='f_geocode' <font color="#ff0000">### Looks like a match,
so SQL Insert should go here, right?</font><br>
Filter rule evaluation begins; filter_rule='f_ut_access'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter node evaluation result; filter_result='match',
filter_type='filter(f_obsidian)'<br>
Filter node evaluation result; filter_result='not-match'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='AND'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_ut_access'<br>
Incoming log entry; line='<14>obsidian: 2009-02-17
10:47:55,75.101.83.163,/hCi/KM35kk,root.ut_access,INFO,,,,,/v1/?loc=san+francisco&start=0&rows=10&f=html,,,37.77916,-122.420049\x0a'<br>
Filter rule evaluation begins; filter_rule='f_filter2'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='match',
filter_rule='f_filter2'<br>
Filter rule evaluation begins; filter_rule='f_filter3'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter3'<br>
Filter rule evaluation begins; filter_rule='f_filter4'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter4'<br>
Filter rule evaluation begins; filter_rule='f_filter5'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='level'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter5'<br>
Filter rule evaluation begins; filter_rule='f_filter6'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='AND'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='OR'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter6'<br>
Filter rule evaluation begins; filter_rule='f_filter7'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter7'<br>
Filter rule evaluation begins; filter_rule='f_filter8'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='facility'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_filter8'<br>
Filter rule evaluation begins; filter_rule='f_geocode'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter node evaluation result; filter_result='match',
filter_type='filter(f_obsidian)'<br>
Filter node evaluation result; filter_result='not-match'<br>
Filter node evaluation result; filter_result='not-match',
filter_type='AND'<br>
Filter rule evaluation result; filter_result='not-match',
filter_rule='f_geocode'<br>
Filter rule evaluation begins; filter_rule='f_ut_access'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match',
filter_type='level'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter node evaluation result; filter_result='match',
filter_type='filter(f_obsidian)'<br>
Filter node evaluation result; filter_result='match'<br>
Filter node evaluation result; filter_result='match', filter_type='AND'<br>
Filter rule evaluation result; filter_result='match',
filter_rule='f_ut_access'<br>
Running SQL query; query='SELECT * FROM ut_access_log WHERE 0=1'<br>
Running SQL query; query='INSERT INTO ut_access_log (datetime,
query_time, host, program, pid, request_id, level, ip, phone_id,
phone_type, software_version, client_version, query_string, art_id,
session_id, lat, lng) VALUES (\'2009-02-17T13:47:55-05:00\',
\'2009-02-17 10:47:55\', \'127.0.0.1\', \'obsidian\', \'\',
\'/hCi/KM35kk\', \'info\', \'75.101.83.163\', \'\', \'\', \'\', \'\',
\'/v1/?loc=san+francisco&start=0&rows=10&f=html\', \'\',
\'\', \'37.77916\', \'-122.420049\')'<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Balazs Scheidler wrote:
<blockquote cite="mid:1234689185.5646.49.camel@bzorp.balabit"
type="cite">
<pre wrap="">On Fri, 2009-02-13 at 12:25 -0800, Liam Kirsher wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi --
I am /almost/ there, logging to Postgres database. However, I've
discovered a puzzling and problematic behavior.This is probably just
some simple misunderstanding on my part, since this is my first foray
into syslog-ng.
I am logging to two different db tables. Which table I log to is
determined by a regexp filter. The value is either root.ut_access or
root.geocode.
I can get either one to work, but not both at the same time.
If I comment out the log entry for the geocode, then ut_access works.
However, if both log entries exist, only the gecocode_access_log table
gets a new row. Nothing is logged to the ut_access_log table! (Both
messages are logged to d_obsidian destination file, however.)
I've attached my config file.
</pre>
</blockquote>
<pre wrap=""><!---->
Hmm.. could you post two example messages that should go to one or the
other destination?
Since you didn't specify flags(final) to either log statements, both
should be doing their job, independently from the other. The only thing
that should control whether one or the other destination is used is the
attached filter. You can get filter debugging by enabling the --debug /
--verbose options.
Be sure that you run syslog-ng in the foreground if you specify these as
these easily generate loops in the configuration unless the internal()
source is not present. (use --foreground for that, intenral() messages
will be printed on the standard error).
Judging the config I can't see an obvious problem, that's why I wanted
to test it, but I'd need a sample log message for that.
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Liam Kirsher
PGP: <a class="moz-txt-link-freetext" href="http://liam.numenet.com/pgp/">http://liam.numenet.com/pgp/</a>
</pre>
</body>
</html>