[syslog-ng]Double timestamps cause DB issue

Robin Brown syslog-ng@lists.balabit.hu
Fri, 25 Apr 2003 12:17:32 -0400


Hello,

Running syslog-ng version 1.5.26 on Solaris 8.  All is working well,
except now I want to log to a MySQL database.  I can also get that to
work, the problem is the double time stamp in the syslog entry.  When it
gets put in the database the second timestamp ends up in the program
field instead of the actual program.

Looking thru the archives, I can find reference to the template macros,
but there only appears to be one MSG macro available.  Below is a sample
log line:

Apr 25 11:40:36 mydevice.mydomain.com Apr 25 2003 11:13:09:
%PIX-4-106023: Deny tcp src inside:111.222.333.444/1343 dst
outside:555.999.777.888/80 by access-group "outbound"

And my database definition from syslog-ng.conf:

destination d_mysql {
        pipe("/tmp/mysql.pipe"
        template("INSERT INTO logs (host, facility, priority, level,
tag, date,time, program, msg) VALUES ( '$HOST', '$FACILITY',
'$PRIORITY', '$LEVEL', '$TAG','$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};


And a sample from the database:

host,facility,priority,level,tag,date,time,program,msg,seq
mydevice.mydomain.com,local5,warning,warning,ac,2003-04-25,10:26:14,Apr,
Apr 25 2003 09:58:46: %PIX-4-106023: Deny tcp src
inside:192.168.176.204/3954 dst outside:216.23.181.206/80 by
access-group "outbound",1


"Apr" is put in the program field and the message plus the second
timestamp is added to the msg filed.

Any suggestions appreciated.

Regards,
Robin