[syslog-ng]Double timestamps cause DB issue
Balazs Scheidler
syslog-ng@lists.balabit.hu
Fri, 25 Apr 2003 20:16:49 +0200
On Fri, Apr 25, 2003 at 12:17:32PM -0400, Robin Brown wrote:
> Hello,
>
> Running syslog-ng version 1.5.26 on Solaris 8. All is working well,
> except now I want to log to a MySQL database. I can also get that to
> work, the problem is the double time stamp in the syslog entry. When it
> gets put in the database the second timestamp ends up in the program
> field instead of the actual program.
>
> Looking thru the archives, I can find reference to the template macros,
> but there only appears to be one MSG macro available. Below is a sample
> log line:
>
> Apr 25 11:40:36 mydevice.mydomain.com Apr 25 2003 11:13:09:
> %PIX-4-106023: Deny tcp src inside:111.222.333.444/1343 dst
> outside:555.999.777.888/80 by access-group "outbound"
>
> And my database definition from syslog-ng.conf:
>
> destination d_mysql {
> pipe("/tmp/mysql.pipe"
> template("INSERT INTO logs (host, facility, priority, level,
> tag, date,time, program, msg) VALUES ( '$HOST', '$FACILITY',
> '$PRIORITY', '$LEVEL', '$TAG','$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC',
> '$PROGRAM', '$MSG' );\n") template-escape(yes));
> };
>
>
> And a sample from the database:
>
> host,facility,priority,level,tag,date,time,program,msg,seq
> mydevice.mydomain.com,local5,warning,warning,ac,2003-04-25,10:26:14,Apr,
> Apr 25 2003 09:58:46: %PIX-4-106023: Deny tcp src
> inside:192.168.176.204/3954 dst outside:216.23.181.206/80 by
> access-group "outbound",1
>
>
> "Apr" is put in the program field and the message plus the second
> timestamp is added to the msg filed.
you can play with check_hostname and bad_hostname options, what does
syslog-ng receive in the UDP packet?
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1