On Fri, 2004-11-19 at 18:42, James Masson wrote:
I've been trying to figure out an obscure problem with syslog-ng importing to a mysql database.
I have various types of network devices feeding syslog-ng on local3 through local6. I can import from Cisco, UNIX servers, Windows - but not Netscreen firewalls!
Each device type gets it's own mysql database. The mysql INSERT INTO statements for the Netscreen logs are truncated and hence fail to import because the mysql syntax is not correct.
I chased wild geese for a while thinking the log format of the Netscreen was messing with mysql - but that's not the case. Notice it's just truncating the last few characters of each statement - including the all important ")" and "\n" newline that closes the mysql statement. I dumped an instance or two of these to a file instead of the normal fifo, added a ")" and a newline at the end of each, and it imported just fine!
IIRC there was a problem report about NetScreen logs including a NUL character somewhere in the middle of the message. That might cause this problem. Can you tcpdump an incoming UDP message as it reaches syslog-ng? I'd need the complete frame, so be sure to use the -s parameter for tcpdump. (specifying the maximum frame size, make sure it is at least the size of your MTU) -- Bazsi