Thanks for the reply. I am using version 3.5, so I am reading the admin guide for 3.5 now to see if I have something configured that isn't available in this version. As far as the template, I thought the ${R_DATE} was a macro. Maybe I am misunderstanding then. What I need is to take a part of the log that comes in and remove it. Here is a sample of the message I have below. What is the best way to remove the date portion that isn't part of the standard syslog message ( the part delimited by ***). Jan 15 13:12:35 10.251.11.241 ***2019 Jan 15 13:12:35 CST:*** %DAEMON-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP control mode packet. Drop count:147908 - ntpd[15029] Regards, Max On Tue, Jan 15, 2019 at 12:03 AM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Hello,
As the *--syntax-only* suggest, it only does check for syntactic errors. A common way to find such issues to start the process in foreground: * stop syslog-ng systemd service (so it won't get in the way) * start syslog-ng as the systemd would do, plus include the -F (foreground) option and -e (print internal logs to the stderr); optionally you may also use -d (debug) -v (verbose); but in this case probably the -Fe would suffice
I just tried your config (with additional @version: 3.18), and it started just fine.
About the second part. You already using template in your configuration for the date column ( ${R_DATE} ); in the values you should be able to use any template (not template function due).
-- Kokan
On Mon, Jan 14, 2019 at 10:54 PM N. Max Pierson <nmaxpierson@gmail.com> wrote:
Hi List,
I have 2 questions about the sql driver. First, I am trying to get messages into sql using the sql driver but I get an error when I try and restart syslog-ng when I enable the log statement with the sql destination. The syslog-ng --syntax-only command runs without any issues but systemd throws and error that it cannot restart the service but doesn't give a clear reason. My config is below, doesn't anyone know where in a log I can see why it won't restart??
source s_network { udp(ip(0.0.0.0) port(514)); };
destination d_mysql { sql(type(mysql) host("127.0.0.1") username("syslog-ng") password("password") database("syslog") table("messages_${HOST}") columns("date", "host", "message") values("${R_DATE}", "${HOST}", "${MESSAGE}") indexes("date", "host") ); };
log { source(s_network); destination(d_mysql); };
My second question is can you use a template with the sql destination driver? I need to reformat some Cisco Nexus logs because of how it formats the date (looks to be non RFC compliant) and if so, can someone give me a sample of config with the template in the sql destination driver? I cannot seem to find in the docs if this is even possible much less and example of how to do it.
TIA, Max
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq