[syslog-ng] facilities problem

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Fri Oct 12 15:48:44 CEST 2007 

Hi, 

> Hi,
> I have a problem with syslog-ng facilities.
> 
> I use a program called SEC to customize logs.
> so my logs come to my syslog-ng server, which send them to SEC by
> running it, and then, SEC gives them back to syslog-ng 
> throught a pipe,
> and then, syslog-ng send them into a mysql database.
> in the config file, I have :
> 
> source src_reseau { udp(ip(0.0.0.0) port(513)); };
> source src_solaris { sun-streams("/dev/log" 
> door("/etc/.syslog_door")); };
> destination d_sec { program("/var/hote/sec-2.4.1/sec.pl -input=-
> -conf=/etc/syslog-ng/sec.conf -log=/var/adm/sec.log"); };
> log { source(src_reseau); source(src_solaris); destination(d_sec); };
> 
> and after SEC, it returns to syslog-ng
> 
> source src_sec { pipe("/tmp/src_sec.pipe"); };
> destination d_mysql { program("mysql -h xxx -u xxx 
> --password=xxx syslog 
>  >/dev/null" template ("INSERT INTO logs (host, facility, priority,
> level, tag, datetime, program, msg) VALUES ('$HOST' , 'auth' ,
> '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
> '$PROGRAM', '$MSG' );\n") template-escape(yes)); };
> log { source(src_sec); destination(da_mysql); };
> 
> The problem is : Before comming back throught the pipe, facilities and
> levels are corrects, but after a pipe (or a file, because I 
> experienced
> the same problem with a file input), facilities and levels are
> user.notice in all cases...
> 
> Does syslog-ng incapable of reading facilities throught files 
> and pipes,
> or did I missed something?

user.notice is the default facility/severity if the log message
doesn't contain this information. My guess is that syslog-ng doesn't
send this information to your script because your d_sec destination
doesn't use a template. Try using a template like
"<$PRI> $ISODATE $FULLHOST $MSG"

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list