[syslog-ng]$MSG into different variables?
Balazs Scheidler
syslog-ng@lists.balabit.hu
Sat, 29 Mar 2003 23:37:18 +0100
On Thu, Mar 20, 2003 at 03:19:22PM -0000, m@ervius.net wrote:
> Hi,
>
> I'm trying to insert a variety of different logs into a MySql database
> from syslog-ng. The logs are coming from cisco routers, squid proxys, FW1
> etc. and have a varying number of fields.
>
> The database tables are created with fields that match the different log
> formats, - src IP, dest IP, protocol etc.
>
> Since I can match the incoming logs with regexps, it is possible to be
> absolutely sure that a given log message will fit into a given table.
>
> What I then would like to do is to split the $MSG into its different
> columns (separated by whitespace) and call the corresponding destination
> which would look something like this:
>
> destination cisco_icmp {
> pipe("/tmp/icmp.pipe"
> template("INSERT INTO router_icmp (host, priority, date, time, program,
> access_list, if, type_code ) VALUES ( '$HOST', '$PRIORITY',
> '$YEAR-$MONTH-$DAY', $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG[6]',
> '$MSG[8]', '$MSG[13]' );\n") template-escape(yes));
> };
>
> Is this possible to do in syslog-ng? Or is there any other method of
> getting the values from the $MSG variable?
>
> I could of course read it from the pipe with some awk or perl script and
> build the sql-syntax from there. But since I will have quite a few
> different table formats it would then need a perl interpreter running for
> each table. Not very pretty IMO.
something similar is available in 1.9.x but that is still not ready for
production environments.
the syntax is to use $1 .. $9 in place of $MSG[13]
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1