<HTML>
<HEAD>
<TITLE>Re: [syslog-ng] Colon embedded in messages (:)</TITLE>
</HEAD>
<BODY>
<FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I think Syslog-ng thinks insert is a program name. Use a template with $PROGRAM in it to see if it prints “insert” to confirm this.<BR>
<BR>
Solution:<BR>
Send a program name before your sql statement using a template.<BR>
<BR>
<BR>
On 9/29/09 8:57 AM, "James Kelly" <james.kelly@hmsinc.com> wrote:<BR>
<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hello,<BR>
<BR>
I am attempting to implement syslog-ng on our servers hosting postgresql databases. The general idea is to log "too much" at the database level and then, using syslog filters, reduce it to the information we want to actually hold in the syslog and send to the log server. So far I am extremely pleased with how easy it is to implement and well documented. However, I do have one problem that is making it difficult to use.<BR>
<BR>
The problem is for each message that the filter matches, it does not completely drop the message.. rather, it logs the date / server / and a colon:<BR>
<BR>
For example, this is what I get for a message that is matched by a filter:<BR>
<BR>
"Sep 29 09:43:29 hcdb1-rep2 :"<BR>
<BR>
I notice that even with the unmatched statements, there is a colon. For example, in the postgresql log, I see:<BR>
<BR>
insert into "public"."table"(blah,blah,blah) values (blah,blah,blah);<BR>
<BR>
but the same message once captured from syslog shows the following in the log and logserver:<BR>
<BR>
Sep 29 09:43:29 hcdb1-rep2 insert: into "public"."table"(blah,blah,blah) values (blah,blah,blah);<BR>
<BR>
*Note the colon after "insert".* I can't seem to figure out where this is coming from or how to avoid it. It also causes some filtering problems that I won't go into here so as to not confuse the issues, but safe to say it is also related to the colon.<BR>
<BR>
I have spent a lot of time trying to figure this out and am at a dead-end. Due to the amount of messages I need to filter out (below is just one of the many filters I need to put in and have tested with the same result), not being able to completely filter these out is a killer.<BR>
<BR>
I am using the 3.0.4 open-source edition on Ubuntu 8. Here is my config:<BR>
<BR>
******************************************************************************************<BR>
@version: 3.0<BR>
<BR>
options {<BR>
};<BR>
<BR>
######<BR>
# sources<BR>
source s_local {<BR>
# message generated by Syslog-NG<BR>
internal();<BR>
# standard Linux log source (this is the default place for the syslog()<BR>
# function to send logs to)<BR>
unix-stream("/dev/log");<BR>
# messages from the kernel<BR>
file("/proc/kmsg" program_override("kernel: "));<BR>
file("/var/log/postgresql/postgresql-8.3-main.log");<BR>
};<BR>
<BR>
<BR>
######<BR>
# destinations<BR>
destination d_messages { file("/var/log/messages"); };<BR>
<BR>
#####<BR>
# filters<BR>
<BR>
filter f_inserts2 {<BR>
not match("_health_central" value("MESSAGE"));<BR>
};<BR>
<BR>
<BR>
destination d_logserver { tcp("internal.host.com <a href="http://internal.host.com"><http://internal.host.com></a> "); };<BR>
<BR>
<BR>
log {<BR>
source(s_local);<BR>
filter(f_inserts2);<BR>
destination(d_messages);<BR>
#destination(d_logserver);<BR>
};<BR>
******************************************************************************************<BR>
<BR>
Thanks!<BR>
James Kelly<BR>
<BR>
<HR ALIGN=CENTER SIZE="3" WIDTH="95%"></SPAN></FONT><FONT FACE="Consolas, Courier New, Courier"><SPAN STYLE='font-size:10pt'>______________________________________________________________________________<BR>
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><BR>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a><BR>
<BR>
</SPAN></FONT></FONT></BLOCKQUOTE>
</BODY>
</HTML>