[syslog-ng]$MSG into different variables?

McNutt, Justin M. syslog-ng@lists.balabit.hu
Thu, 20 Mar 2003 12:06:22 -0600 

If you find a solution to this, *please please please* post it to the =
list!  :-)

Thanks!

--J

> -----Original Message-----
> From: m@ervius.net [mailto:m@ervius.net]
> Sent: Thursday, March 20, 2003 9:19 AM
> To: syslog-ng@lists.balabit.hu
> Subject: [syslog-ng]$MSG into different variables?
>=20
>=20
> Hi,
>=20
> I'm trying to insert a variety of different logs into a MySql database
> from syslog-ng. The logs are coming from cisco routers, squid=20
> proxys, FW1
> etc. and have a varying number of fields.
>=20
> The database tables are created with fields that match the=20
> different log
> formats, - src IP, dest IP, protocol etc.
>=20
> Since I can match the incoming logs with regexps, it is possible to be
> absolutely sure that a given log message will fit into a given table.
>=20
> What I then would like to do is to split the $MSG into its different
> columns (separated by whitespace) and call the corresponding=20
> destination
> which would look something like this:
>=20
> destination cisco_icmp {
>    pipe("/tmp/icmp.pipe"
>    template("INSERT INTO router_icmp (host, priority, date,=20
> time, program,
> access_list, if, type_code ) VALUES ( '$HOST', '$PRIORITY',
> '$YEAR-$MONTH-$DAY', $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG[6]',
> '$MSG[8]', '$MSG[13]' );\n") template-escape(yes));
> };
>=20
> Is this possible to do in syslog-ng? Or is there any other method of
> getting the values from the $MSG variable?
>=20
> I could of course read it from the pipe with some awk or perl=20
> script and
> build the sql-syntax from there. But since I will have quite a few
> different table formats it would then need a perl interpreter=20
> running for
> each table. Not very pretty IMO.
>=20
> Any suggestions? Have I missed something?
>=20
> Thanks!
>=20
> // Martin
>=20
>=20
>=20
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20