[syslog-ng] non standard syslog message!
Wilson Lai
wilsonlai at macausjm.com
Mon Sep 17 04:50:49 CEST 2007
Dear Balazs,
Could you please give me some information about the script which
could convert the non syslog message into syslog standard syslog format?
Thanks.
Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai at macausjm.com
-----Original Message-----
From: syslog-ng-request at lists.balabit.hu
[mailto:syslog-ng-request at lists.balabit.hu]
Sent: Friday, September 14, 2007 6:00 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 29, Issue 11
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: Compiling on HP/UX 11.11 (Balazs Scheidler)
2. Re: Compiling on HP/UX 11.11 (C Wells)
3. Mysql Syslog Data (John Hala)
4. Re: non standard syslog messgae! (Wilson Lai)
5. Re: Mysql Syslog Data (Paul Robert Marino)
6. Re: Compiling on HP/UX 11.11 (Balazs Scheidler)
7. Re: non standard syslog messgae! (Balazs Scheidler)
----------------------------------------------------------------------
Message: 1
Date: Thu, 13 Sep 2007 19:04:10 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1189703050.15286.20.camel at bzorp.balabit>
Content-Type: text/plain
On Mon, 2007-09-10 at 10:34 -0700, C Wells wrote:
> This glib listed below worked fine (thanks), but then
> it asked for eventlog version >= 0.2, which I found at
> balabit and installed and then it asked for libnet,
> for which I found the binary, so finally the configure
> worked. Make asked for flex, which I had renamed
> because it made configure die. I put flex back and it
> passed that point but dies on this
>
> gcc -g -O2 -Wall -g -o syslog-ng main.o
> libsyslog-ng.a -lnsl -lrt -L/usr/local/lib
> -lglib-2.0 -lintl -liconv -L/usr/local/lib -levtlog
> -lnet
> /usr/ccs/bin/ld: Unsatisfied symbols:
> linenum (first referenced in
> libsyslog-ng.a(cfg-grammar.o)) (data)
> lookup_parse_flag (first referenced in
> libsyslog-ng.a(cfg-grammar.o)) (code)
> strtoll (first referenced in
> libsyslog-ng.a(affile.o)) (code)
> yylex (first referenced in
> libsyslog-ng.a(cfg-grammar.o)) (code)
> lex_init (first referenced in
> libsyslog-ng.a(cfg.o)) (code)
> collect2: ld returned 1 exit status
your ld is fine. As it seems cfg-lex.c was regenerated and probably
empty, that's why it does not contain the lookup_parse_flag() function.
Try removing cfg-lex.c, and rerun make. It should regenerate cfg-lex.c
using flex.
As I see the configure test did not find libfl.a (or libfl.so) for some
reason. Try adding that to your link command line.
What's the error message of configure that you get if you have flex
installed and not renamed?
--
Bazsi
------------------------------
Message: 2
Date: Thu, 13 Sep 2007 11:16:31 -0700 (PDT)
From: C Wells <s2audi at yahoo.com>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: syslog-ng at lists.balabit.hu
Message-ID: <663351.40801.qm at web60422.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
> What's the error message of configure that you get
if you have flex installed and not renamed?
'checking lex output file root... configure: error:
cannot find output from flex; giving up'
I guess I can try a newer flex maybe, not sure
Thanks
________________________________________________________________________
____________
Tonight's top picks. What will you watch tonight? Preview the hottest
shows on Yahoo! TV.
http://tv.yahoo.com/
------------------------------
Message: 3
Date: Thu, 13 Sep 2007 22:24:02 -0400
From: John Hala <john.hala at villanova.edu>
Subject: [syslog-ng] Mysql Syslog Data
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID:
<294949F5411DFC418D1DEC84BE825AE11DA3CFEA66 at VUEX2.vuad.villanova.ed
u>
Content-Type: text/plain; charset="us-ascii"
So I have my syslogs going to a mysql database. What are some
recommended ways to make this data useful?
Here's how I created the table:
CREATE TABLE syslog (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
PRIMARY KEY (seq),
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)
) TYPE=MyISAM;
------------------------------
Message: 4
Date: Fri, 14 Sep 2007 12:03:46 +0800
From: "Wilson Lai" <wilsonlai at macausjm.com>
Subject: Re: [syslog-ng] non standard syslog messgae!
To: syslog-ng <syslog-ng at lists.balabit.hu>
Message-ID: <H000006e0084a3d0.1189742625.mail.macausjm.com at MHS>
Content-Type: text/plain; charset="US-ASCII"
Hi,
The message is not generated from a Cisco device. It is a third
party application log which has the format as follow ;
" Error Browser (Service 14) Thu May 10 01:52:15
2007
[OM 0]
Pid of logging process: 1029
Last Msg ID : JavaMail.root(a).scalix.x.y.com
Last Msg DirectRef: 000a4beace41e153 " "
How could I convert it into a standard syslog format?
Thanks.
Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wilsonlai at macausjm.com
-----Original Message-----
From: syslog-ng-request at lists.balabit.hu
[mailto:syslog-ng-request at lists.balabit.hu]
Sent: Thursday, September 13, 2007 6:00 PM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 29, Issue 10
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: syslog-ng Digest, Vol 28, Issue 21 (Balazs Scheidler)
----------------------------------------------------------------------
Message: 1
Date: Wed, 12 Sep 2007 17:06:49 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] syslog-ng Digest, Vol 28, Issue 21
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1189609609.7181.4.camel at bzorp.balabit>
Content-Type: text/plain
On Fri, 2007-09-07 at 07:26 -0700, Nate Campi wrote:
> On Fri, Sep 07, 2007 at 05:26:02PM +0800, Wilson Lai wrote:
> > Dear all,
> > What happen if the log message is not a standard syslog
message?
> > Thanks.
>
> If a Cisco switch sends a message like this:
> 2005 Aug 23 03:04:05 UTC +00:00 %PAGP-5-PORTFROMSTP:Port 4/16 left
bridge port 4/16
>
> ...it'll be written to disk like this:
>
> Aug 23 03:04:05 switch.company.com 2005 Aug 23 03:04:05 UTC +00:00
%PAGP-5-PORTFROMSTP:Port 4/16 left bridge port 4/16
>
> syslog servers put in a proper syslog formatted header.
>
> The behavior is documented here:
>
> http://www.faqs.org/rfcs/rfc3164.html
>
> It's not syslog-ng specific behavior.
In fact I've added some Cisco date stamp support, so date stamps of some
of the Cisco gear are properly recognized. But Cisco is not using
consistent timestamps in their different product lines.
--
Bazsi
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 29, Issue 10
*****************************************
------------------------------
Message: 5
Date: Fri, 14 Sep 2007 03:08:47 -0400
From: Paul Robert Marino <prmarino1 at gmail.com>
Subject: Re: [syslog-ng] Mysql Syslog Data
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu>
Message-ID: <1189753731.9CBEB49 at di12.dngr.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Have you looked at the phpsyslog-ng project on source forge its quite
nice and usefull my only complaint about it is it only works with
mysql.
___________________________________________
The average person does a lot of work in the name of laziness!
Save youre self the effort by doing it right the first time.
Do it with free speech software.
------------------------------
Message: 6
Date: Fri, 14 Sep 2007 10:28:04 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Compiling on HP/UX 11.11
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1189758484.7167.3.camel at bzorp.balabit>
Content-Type: text/plain
On Thu, 2007-09-13 at 11:16 -0700, C Wells wrote:
> > What's the error message of configure that you get
> if you have flex installed and not renamed?
>
> 'checking lex output file root... configure: error:
> cannot find output from flex; giving up'
> I guess I can try a newer flex maybe, not sure
The config.log file might have more details. The error basically says
that the output for flex was not found.
Are you sure it is using flex and not the system installed lex? Again,
the config.log file has more details.
The flex/lex commands generate their output as a fixed named file
(usually lex.yy.c) and the makefiles cannot find this file.
Try running the flex command line by hand and check whether the file
gets generated.
--
Bazsi
------------------------------
Message: 7
Date: Fri, 14 Sep 2007 10:29:48 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] non standard syslog messgae!
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Message-ID: <1189758588.7167.6.camel at bzorp.balabit>
Content-Type: text/plain
On Fri, 2007-09-14 at 12:03 +0800, Wilson Lai wrote:
> Hi,
> The message is not generated from a Cisco device. It is a third
> party application log which has the format as follow ;
> " Error Browser (Service 14) Thu May 10 01:52:15
> 2007
> [OM 0]
> Pid of logging process: 1029
> Last Msg ID : JavaMail.root(a).scalix.x.y.com
> Last Msg DirectRef: 000a4beace41e153 " "
> How could I convert it into a standard syslog format?
> Thanks.
Is this a log file currently? Syslog-ng would convert this multi-line
log message as individual log entries, which is probably not what you
want.
You can use a script or something that makes this look like syslog and
then write it to a named pipe or something and have syslog-ng read that.
--
Bazsi
------------------------------
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
End of syslog-ng Digest, Vol 29, Issue 11
*****************************************
More information about the syslog-ng
mailing list