syslog-ng help: how can I use function in double quotes?
Hi All, How can I use a function in double quote? I want to record the IP address of the syslog-ng server. Since there's no available macro that represent the IP of syslog-ng server(only have macros indicate where the message sent to syslog-ng server,like $HOST). So I want to use ip() function and record it to database. The configuration part is: columns( "datetime varchar2(24)", "server_ip varchar2(24)", "host varchar2(32)", ...) values( "${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}", "ip()", "$HOST", ...) When I started syslog-ng,it gave error message that said expecting double quotes. How can I use a function in double quotes? Or are there any other ways to get the syslog-ng server IP address and record them? Thanks, Henry
"Henry Xu" <xkb.surfing@gmail.com> writes:
Since there's no available macro that represent the IP of syslog-ng server(only have macros indicate where the message sent to syslog-ng server,like $HOST). So I want to use ip() function and record it to database.
There is no ip() function in syslog-ng. The various ip() stuff you can see in configs, are settings for the various sources and destinations. The main issue with what you want to do, is figuring out what the servers IP is, as there can be many. I assume you want the IP the message arrived to - am I correct? In that case, the best option off the top of my head, is to tag messages coming to the different IP addresses, and use the $TAG macro in the destination: source s_net_1234 { tcp(ip(1.2.3.4) ...); tag("1.2.3.4"); }; source s_net_192 { tcp(ip(192.168.0.1) ...); tag("192.168.0.1"); }; destination d_sql { sql(... values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}", "${TAGS}", "${HOST}", ...); ); }; Care should be taken that $TAGS will expand to all tags, so only one tag should be on any message. There might be better ways to achieve the same thing, though, but this is the first that I could think of. -- |8]
On Tuesday, July 5, 2011 17:52 CEST, Gergely Nagy <algernon@balabit.hu> wrote:
"Henry Xu" <xkb.surfing@gmail.com> writes:
Since there's no available macro that represent the IP of syslog-ng server(only have macros indicate where the message sent to syslog-ng server,like $HOST). So I want to use ip() function and record it to database.
There is no ip() function in syslog-ng. The various ip() stuff you can see in configs, are settings for the various sources and destinations.
The main issue with what you want to do, is figuring out what the servers IP is, as there can be many. I assume you want the IP the message arrived to - am I correct?
In that case, the best option off the top of my head, is to tag messages coming to the different IP addresses, and use the $TAG macro in the destination:
source s_net_1234 { tcp(ip(1.2.3.4) ...); tag("1.2.3.4"); };
source s_net_192 { tcp(ip(192.168.0.1) ...); tag("192.168.0.1"); };
destination d_sql { sql(... values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}", "${TAGS}", "${HOST}", ...); ); };
Care should be taken that $TAGS will expand to all tags, so only one tag should be on any message. AFAIK, syslog-ng automatically adds the id of the source (s_net_192 in the above example) to $TAGS, so you'll have at least two tags.
Robert
There might be better ways to achieve the same thing, though, but this is the first that I could think of.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Care should be taken that $TAGS will expand to all tags, so only one tag should be on any message. AFAIK, syslog-ng automatically adds the id of the source (s_net_192 in the above example) to $TAGS, so you'll have at least two tags.
You're correct. Darn. The next best thing is beating this info somewhere into SDATA then.. -- |8]
participants (3)
-
Fekete Róbert
-
Gergely Nagy
-
Henry Xu