[syslog-ng]Filter for currupt syslog-messages?

Dan Edwards syslog-ng@lists.balabit.hu
Thu, 24 Apr 2003 11:45:10 -0400


Upgrade to at least snapshot 4/18 and they will work.

Dan Edwards
Network Specialist
A. Duda & Sons, Inc.

-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu
[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Meinecke,
Sebastian
Sent: Thursday, April 24, 2003 11:40 AM
To: 'syslog-ng@lists.balabit.hu'
Subject: AW: [syslog-ng]Filter for currupt syslog-messages?

At first: thanks for your quick help!

I downloaded the new Version 1.6.0rc2 of syslog-ng and installed it as
usual. The problem now is, that macros don=B4t work. Variables like =
$HOST
$FACILITY etc. are null, although there hadn=B4t been any errors during
compling and installing.=20
I=B4m using the config-file that properly worked under the =
1.5.24-version.

Destinations like=20

destination d_mysql_pipe { pipe("/logs/mysql.pipe" template("INSERT INTO
logs (host, facility, priority, date, time, program, msg) VALUES (
'$HOST',
'$FACILITY', '$PRIORITY',  '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
'$PROGRAM','$MSG' );\n") template-escape(yes)); };

produce  SQL-statements like=20

INSERT INTO logs (host, facility, priority, date, time, program, msg)
VALUES
( '', '', '',  '--', '::', '','' );

I didn=B4t find any notices about changes in the config-file-syntax that
could
produce such stuff... or maybe I only fooled myself ;-)

again: thanks in advance,

Sebastian



On Thu, Apr 24, 2003 at 04:18:45PM +0200, Meinecke, Sebastian wrote:
> Hello everyone,
>=20
> I=B4ve set up a Linux box with syslog-ng 1.5.24 running. It is
configured,
> that it puts all syslog-messages from other Unix hosts in the network
via
> the "template"=20
> function as a SQL-Statement into a pipe. This pipe is read by a
mysql-Client
> that writes everything into the MySQL-database.
>=20
>=20
> Everything works fine, until I try to stress the system using a tool,
that
> sends corrupt syslog-messages to the Syslog-ng-Server. The result is,
that
> these "corrupt" messages=20
> are not written into the database (that=B4s OK; I don=B4t want them
there...).
> But the problem is that syslog-messages arriving a little time before
or
> after the=20
> corrupt ones will also not be put into the database, because the
fragments
> of the corrupt SQL-statements that are built out of the corrupt
messages=20
> also damage the "good ones".
>=20
>=20
> So my question: Is there any possibility to filter messages that are
corrupt
> or don=B4t match RFC 3164  via the "filter"-function of syslog-ng?=20
> Or does anybody of you know a different solution?

there were some line reassembling problems in earlier 1.5.x versions.
you
might
try to upgrade first and check whether that version also has some
problems.
(the latest snapshots of 1.6.0rc2 should be ok)

--=20
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C
8EB1
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html