Logging only if phrase found
Hi @all, i am using syslog-ng for logging into mysql. **************************** options { chain_hostnames(off); sync(0); stats(43200); }; source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; destination d_mysql { program("/usr/bin/mysql --user=syslogfeeder --password=SuperPassWord syslog" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; destination messages { file("/var/log/messages"); }; log { source(src);destination(messages); destination(d_mysql); }; **************************** I want to have only the entries in my log database, that contain a specific phrase, for example all the entries with "...connect..." Is this possible with syslog-ng? tnx Sebastian
Sebastian Deißner <sebastian@debianfan.de> writes:
options { chain_hostnames(off); sync(0); stats(43200); };
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination d_mysql { program("/usr/bin/mysql --user=syslogfeeder --password=SuperPassWord syslog" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); };
destination messages { file("/var/log/messages"); };
log { source(src);destination(messages); destination(d_mysql); };
I want to have only the entries in my log database, that contain a specific phrase, for example all the entries with "...connect..."
Is this possible with syslog-ng?
Yes, it is. You can use filters, somewhat like this: filter f_connect { message("*connect*" type(glob)); }; You can use regular expressions in the filter too - just remove the type(glob) part then. And then add filter(f_connect); to your log block: log { source(src); destination(messages); filter(f_connect); destination(d_mysql); }; This will log all messages to the messages destination, but only filtered ones to mysql. As far as I understand it, anyway. I usually use separate log blocks: log { source(src); destination(messages); }; log { source(src); filter(f_connect); destination(d_mysql); }; -- |8]
Am 18.05.2011 00:16, schrieb Gergely Nagy:
Yes, it is. You can use filters, somewhat like this:
filter f_connect { message("*connect*" type(glob)); };
You can use regular expressions in the filter too - just remove the type(glob) part then.
And then add filter(f_connect); to your log block:
log { source(src); destination(messages); filter(f_connect); destination(d_mysql); };
This will log all messages to the messages destination, but only filtered ones to mysql. As far as I understand it, anyway. I usually use separate log blocks:
log { source(src); destination(messages); };
log { source(src); filter(f_connect); destination(d_mysql); };
With your code - all messages are in the database. I only want to have the messages, which have the word "connect" in the message. I tried to do it in this way: options { chain_hostnames(off); sync(0); stats(43200); }; source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; # filter f_connect { msg("/connect/" type(glob));}; filter f_connect { match ("/connect/");}; destination d_mysql { program("/usr/bin/mysql --user=username --password=myword database" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes)); }; destination messages { file("/var/log/mail.log"); }; log { source(src); filter (f_connect); destination(messages); destination(d_mysql); };
Am 18.05.2011 18:50, schrieb Sebastian Deißner:
filter f_connect { match ("/connect/");};
I got it - very simple: filter f_connect { match (".*connect.*");}; thats it - thank you for helping :-)
On 2011-05-18, Sebastian Deißner wrote:
Am 18.05.2011 18:50, schrieb Sebastian Deißner:
filter f_connect { match ("/connect/");};
I got it - very simple:
filter f_connect { match (".*connect.*");};
Actually, in terms of regular expressions, this is equal to match("connect"). HTH -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
participants (3)
-
Gergely Nagy
-
Jakub Jankowski
-
Sebastian Deißner