<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Giovanni,<br>
<br>
the problem is, that you are using the @STRING@ parser to get the
email address, but apart from the alphanumeric chars, the email
address will contain at least an @ sign (and also can contain many
other non-alphanum chars), so I think you would be better off with
using the @ESTRING@ parser and matching the space char at the end of
the email address. The attached xml should match the supplied log
message (but only if the IP address is also valid :))<br>
<br>
blint@lyra:/tmp$ /usr/local/syslog-ng-patternize/bin/pdbtool match
-c -D -p mcs2.xml -P mcs -M "###############Accesso dell'utente
<a class="moz-txt-link-abbreviated" href="mailto:xxxx.1@xxx.mailware.it">xxxx.1@xxx.mailware.it</a> da ip 111.222.111.222"<br>
Pattern matching part:<br>
###############Accesso dell'utente
@ESTRING:LOGIN_USER=xxxx.1@xxx.mailware.it@da ip
@IPv4:IP_SOURCE=111.222.111.222@<br>
Matching part:<br>
###############Accesso dell'utente <a class="moz-txt-link-abbreviated" href="mailto:xxxx.1@xxx.mailware.it">xxxx.1@xxx.mailware.it</a> da ip
111.222.111.222<br>
Values:<br>
MESSAGE=###############Accesso dell'utente <a class="moz-txt-link-abbreviated" href="mailto:xxxx.1@xxx.mailware.it">xxxx.1@xxx.mailware.it</a> da
ip 111.222.111.222<br>
PROGRAM=mcs<br>
.classifier.class=system<br>
.classifier.rule_id=mcs<br>
<a class="moz-txt-link-abbreviated" href="mailto:LOGIN_USER=xxxx.1@xxx.mailware.it">LOGIN_USER=xxxx.1@xxx.mailware.it</a><br>
IP_SOURCE=111.222.111.222<br>
<br>
Best Regards,<br>
Balint<br>
<br>
On 12/16/2010 05:49 PM, Giovanni Mancuso wrote:
<blockquote cite="mid:4D0A4318.1030607@messinalug.org" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi, <br>
<br>
I configure my Java application to log with log4j in syslog
server, and i configure my syslog-ng to store data in mysql
database, but this doen't work.<br>
<br>
My syslog-ng configuration is:<br>
<br>
<small>@version: 3.0<br>
options { <br>
chain_hostnames(no); <br>
stats_freq(43200); <br>
};<br>
source src {<br>
unix-stream("/dev/log" max-connections(256));<br>
internal();<br>
udp(ip("127.0.0.1") port(514));<br>
file("/proc/kmsg");<br>
};<br>
destination mcs {
file("/var/log/mw-collaboration/mw-collaboration-loginfile.log");
};<br>
destination mcs_sql {<br>
sql(<br>
type(mysql) <br>
host("localhost") <br>
username("syslogng") <br>
password("syslogng")<br>
database("mcslogin")<br>
table("mcslogin")<br>
columns("date varchar(32)","loginuser
varchar(32) ","ipsource varchar(32)")<br>
values("${S_YEAR}-${S_MONTH}-${S_DAY}
${S_HOUR}:${S_MIN}:${S_SEC}","${LOGIN_USER}","${IP_SOURCE}")<br>
);<br>
};<br>
<br>
filter f_mcs { facility(local2); };<br>
parser p_mcs {<br>
db_parser(file("/etc/syslog-ng/patterndb.d/mcs.xml"));<br>
};<br>
log { source(src); filter(f_mcs); parser(p_mcs);
destination(mcs_sql); destination(mcs); };</small><br>
<br>
I created also a db_parser file that is:<br>
<small><br>
<patterndb version='1' pub_date='2010-12-14'><br>
<program name='mcs'><br>
<pattern>mcs</pattern><br>
<rule id='mcs' class='system'><br>
<pattern>###############Accesso
dell'utente @STRING:LOGIN_USER@ da ip
@IPv4:IP_SOURCE@</pattern><br>
</rule><br>
</program><br>
</patterndb></small><br>
<br>
With this configuration, i have that in <small><big>"mcs"</big> <big>destination
it writes all information:<br>
<br>
Dec 16 11:55:44 localhost mcs[123] ###############Accesso
dell'utente <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:xxxx@xxx.mailware.it">xxxx@xxx.mailware.it</a>
da ip 111.222.333.444<br>
Dec 16 12:53:23 localhost mcs[123] ###############Accesso
dell'utente <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:xxxx.1@xxx.mailware.it">xxxx.1@xxx.mailware.it</a>
da ip </big></small><small><big>111.222.333.444</big></small><br>
<small><big>Dec 16 14:07:40 localhost mcs[123]
###############Accesso dell'utente <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:xxxx.1@xxx.mailware.it">xxxx.1@xxx.mailware.it</a>
da ip </big></small><small><big>111.222.333.444</big></small><br>
<br>
but in "mcs_sql" destination, it writes only date:<br>
<small><br>
mysql> desc mcslogin;<br>
+-----------+-------------+------+-----+---------+-------+<br>
| Field | Type | Null | Key | Default | Extra |<br>
+-----------+-------------+------+-----+---------+-------+<br>
| date | varchar(32) | YES | MUL | NULL | |<br>
| loginuser | varchar(32) | YES | | NULL | |<br>
| ipsource | varchar(32) | YES | | NULL | |<br>
+-----------+-------------+------+-----+---------+-------+<br>
3 rows in set (0.00 sec)<br>
<br>
mysql> select * from mcslogin limit 10<br>
-> ;<br>
+---------------------+-----------+----------+<br>
| date | loginuser | ipsource |<br>
+---------------------+-----------+----------+<br>
| 2010-12-15 11:02:16 | | |<br>
| 2010-12-15 11:11:09 | | |<br>
| 2010-12-15 17:53:01 | | |<br>
| 2010-12-15 18:11:55 | | |<br>
| 2010-12-15 18:12:54 | | |<br>
| 2010-12-15 18:35:07 | | |<br>
| 2010-12-16 11:55:36 | | |<br>
| 2010-12-16 11:55:44 | | |<br>
| 2010-12-16 11:55:44 | | |<br>
| 2010-12-16 12:53:23 | | |<br>
+---------------------+-----------+----------+<br>
10 rows in set (0.00 sec)</small><br>
<br>
Can you help me?<br>
<br>
Thanks<br>
<small><big><br>
</big></small>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>