Re: [syslog-ng] non standard syslog message!

17 Sep 2007

      Dear Balazs,
        Could you please give me some information about the script which 
could convert the non syslog message into syslog standard syslog format?
        Thanks.

Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai@macausjm.com

-----Original Message-----
From: syslog-ng-request@lists.balabit.hu 
[mailto:syslog-ng-request@lists.balabit.hu] 
Sent: Friday, September 14, 2007 6:00 PM
To: syslog-ng@lists.balabit.hu
Subject: syslog-ng Digest, Vol 29, Issue 11

Send syslog-ng mailing list submissions to
	syslog-ng@lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request@lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner@lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."

Today's Topics:

   1. Re:  Compiling on HP/UX 11.11 (Balazs Scheidler)
   2. Re:  Compiling on HP/UX 11.11 (C Wells)
   3.  Mysql Syslog Data (John Hala)
   4. Re:  non standard syslog messgae! (Wilson Lai)
   5. Re:  Mysql Syslog Data (Paul Robert Marino)
   6. Re:  Compiling on HP/UX 11.11 (Balazs Scheidler)
   7. Re:  non standard syslog messgae! (Balazs Scheidler)

----------------------------------------------------------------------

Message: 1
Date: Thu, 13 Sep 2007 19:04:10 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: Syslog-ng users' and developers' mailing list
	<syslog-ng@lists.balabit.hu>
Message-ID: <1189703050.15286.20.camel@bzorp.balabit>
Content-Type: text/plain

On Mon, 2007-09-10 at 10:34 -0700, C Wells wrote:
...
This glib listed below worked fine (thanks), but then
it asked for eventlog version >= 0.2, which I found at
balabit and installed and then it asked for libnet,
for which I found the binary, so finally the configure
worked. Make asked for flex, which I had renamed
because it made configure die. I put flex back and it
passed that point but dies on this
gcc  -g -O2 -Wall -g   -o syslog-ng  main.o
libsyslog-ng.a -lnsl -lrt   -L/usr/local/lib
-lglib-2.0 -lintl -liconv   -L/usr/local/lib -levtlog 
 -lnet 
/usr/ccs/bin/ld: Unsatisfied symbols:
   linenum (first referenced in
libsyslog-ng.a(cfg-grammar.o)) (data)
   lookup_parse_flag (first referenced in
libsyslog-ng.a(cfg-grammar.o)) (code)
   strtoll (first referenced in
libsyslog-ng.a(affile.o)) (code)
   yylex (first referenced in
libsyslog-ng.a(cfg-grammar.o)) (code)
   lex_init (first referenced in
libsyslog-ng.a(cfg.o)) (code)
collect2: ld returned 1 exit status
your ld is fine. As it seems cfg-lex.c was regenerated and probably
empty, that's why it does not contain the lookup_parse_flag() function.

Try removing cfg-lex.c, and rerun make. It should regenerate cfg-lex.c
using flex.

As I see the configure test did not find libfl.a (or libfl.so) for some
reason. Try adding that to your link command line.

What's the error message of configure that you get if you have flex
installed and not renamed?

-- 
Bazsi

------------------------------

Message: 2
Date: Thu, 13 Sep 2007 11:16:31 -0700 (PDT)
From: C Wells <s2audi@yahoo.com>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: syslog-ng@lists.balabit.hu
Message-ID: <663351.40801.qm@web60422.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
...
What's the error message of configure that you get
if you have flex installed and not renamed?
'checking lex output file root... configure: error:
cannot find output from flex; giving up'
I guess I can try a newer flex maybe, not sure

Thanks

________________________________________________________________________
____________
Tonight's top picks. What will you watch tonight? Preview the hottest 
shows on Yahoo! TV.
http://tv.yahoo.com/ 

------------------------------

Message: 3
Date: Thu, 13 Sep 2007 22:24:02 -0400
From: John Hala <john.hala@villanova.edu>
Subject: [syslog-ng] Mysql Syslog Data
To: Syslog-ng users' and developers' mailing list
	<syslog-ng@lists.balabit.hu>
Message-ID:
	<294949F5411DFC418D1DEC84BE825AE11DA3CFEA66@VUEX2.vuad.villanova.ed
u>
Content-Type: text/plain; charset="us-ascii"

So I have my syslogs going to a mysql database.  What are some 
recommended ways to make this data useful?

Here's how I created the table:

CREATE TABLE syslog (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
PRIMARY KEY (seq),
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)
) TYPE=MyISAM;

------------------------------

Message: 4
Date: Fri, 14 Sep 2007 12:03:46 +0800
From: "Wilson Lai" <wilsonlai@macausjm.com>
Subject: Re: [syslog-ng] non standard syslog messgae!
To: syslog-ng <syslog-ng@lists.balabit.hu>
Message-ID: <H000006e0084a3d0.1189742625.mail.macausjm.com@MHS>
Content-Type: text/plain;	charset="US-ASCII"

Hi,
    The message is not generated from a Cisco device. It is a third 
party application log which has the format as follow ;
          " Error     Browser    (Service 14)    Thu May 10 01:52:15 
2007
             [OM 0]
             Pid of logging process: 1029
                  Last Msg ID : JavaMail.root(a).scalix.x.y.com
                  Last Msg DirectRef: 000a4beace41e153 "          "
    How could I convert it into a standard syslog format?
    Thanks.
Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai@macausjm.com

-----Original Message-----
From: syslog-ng-request@lists.balabit.hu 
[mailto:syslog-ng-request@lists.balabit.hu] 
Sent: Thursday, September 13, 2007 6:00 PM
To: syslog-ng@lists.balabit.hu
Subject: syslog-ng Digest, Vol 29, Issue 10

Send syslog-ng mailing list submissions to
	syslog-ng@lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
	syslog-ng-request@lists.balabit.hu

You can reach the person managing the list at
	syslog-ng-owner@lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."

Today's Topics:

   1. Re:  syslog-ng Digest, Vol 28, Issue 21 (Balazs Scheidler)

----------------------------------------------------------------------

Message: 1
Date: Wed, 12 Sep 2007 17:06:49 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] syslog-ng Digest, Vol 28, Issue 21
To: Syslog-ng users' and developers' mailing list
	<syslog-ng@lists.balabit.hu>
Message-ID: <1189609609.7181.4.camel@bzorp.balabit>
Content-Type: text/plain

On Fri, 2007-09-07 at 07:26 -0700, Nate Campi wrote:
...
On Fri, Sep 07, 2007 at 05:26:02PM +0800, Wilson Lai wrote:
...
Dear all,
       What happen if the log message is not a standard syslog 
message?
       Thanks.
If a Cisco switch sends a message like this:
2005 Aug 23 03:04:05 UTC +00:00 %PAGP-5-PORTFROMSTP:Port 4/16 left 
bridge port 4/16
...it'll be written to disk like this:
Aug 23 03:04:05 switch.company.com 2005 Aug 23 03:04:05 UTC +00:00 
%PAGP-5-PORTFROMSTP:Port 4/16 left bridge port 4/16
syslog servers put in a proper syslog formatted header.
The behavior is documented here:
http://www.faqs.org/rfcs/rfc3164.html
It's not syslog-ng specific behavior.
In fact I've added some Cisco date stamp support, so date stamps of some
of the Cisco gear are properly recognized. But Cisco is not using
consistent timestamps in their different product lines.

-- 
Bazsi

------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng

End of syslog-ng Digest, Vol 29, Issue 10
*****************************************

------------------------------

Message: 5
Date: Fri, 14 Sep 2007 03:08:47 -0400
From: Paul Robert Marino <prmarino1@gmail.com>
Subject: Re: [syslog-ng] Mysql Syslog Data
To: "Syslog-ng users' and developers' mailing list"
	<syslog-ng@lists.balabit.hu>
Message-ID: <1189753731.9CBEB49@di12.dngr.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"

Have you looked at the phpsyslog-ng project on source forge its quite 
nice and usefull my only complaint about it is it only works with 
mysql.
___________________________________________
The average person does a lot of work in the name of laziness!
Save youre self the effort by doing it right the first time.
Do it with free speech software.

------------------------------

Message: 6
Date: Fri, 14 Sep 2007 10:28:04 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: Syslog-ng users' and developers' mailing list
	<syslog-ng@lists.balabit.hu>
Message-ID: <1189758484.7167.3.camel@bzorp.balabit>
Content-Type: text/plain

On Thu, 2007-09-13 at 11:16 -0700, C Wells wrote:
...
...
What's the error message of configure that you get
if you have flex installed and not renamed?
'checking lex output file root... configure: error:
cannot find output from flex; giving up'
I guess I can try a newer flex maybe, not sure
The config.log file might have more details. The error basically says
that the output for flex was not found.

Are you sure it is using flex and not the system installed lex? Again,
the config.log file has more details.

The flex/lex commands generate their output as a fixed named file
(usually lex.yy.c) and the makefiles cannot find this file.

Try running the flex command line by hand and check whether the file
gets generated.

-- 
Bazsi

------------------------------

Message: 7
Date: Fri, 14 Sep 2007 10:29:48 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] non standard syslog messgae!
To: Syslog-ng users' and developers' mailing list
	<syslog-ng@lists.balabit.hu>
Message-ID: <1189758588.7167.6.camel@bzorp.balabit>
Content-Type: text/plain

On Fri, 2007-09-14 at 12:03 +0800, Wilson Lai wrote:
...
Hi,
    The message is not generated from a Cisco device. It is a third 
party application log which has the format as follow ;
          " Error     Browser    (Service 14)    Thu May 10 01:52:15 
2007
             [OM 0]
             Pid of logging process: 1029
                  Last Msg ID : JavaMail.root(a).scalix.x.y.com
                  Last Msg DirectRef: 000a4beace41e153 "          "
    How could I convert it into a standard syslog format?
    Thanks.
Is this a log file currently?  Syslog-ng would convert this multi-line
log message as individual log entries, which is probably not what you
want.

You can use a script or something that makes this look like syslog and
then write it to a named pipe or something and have syslog-ng read that.

-- 
Bazsi

------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng

End of syslog-ng Digest, Vol 29, Issue 11
*****************************************

Wilson Lai

tags

participants (1)