[syslog-ng] syslog + snare + mysql
Eli Robinson
Eli.Robinson at thielekaolin.com
Thu Nov 20 22:12:03 CET 2008
Hello all!
I am currently running the following:
Syslog-ng 2.0.5 on FC8, kernel 2.6.23.1-42, no firewall, SELinux
disabled, logging to mysql 5.0.45 via a named pipe
Snare 2.6.1 on Windows Server 2003 with the enable syslog header option
checked
The Snare clients have been running for several years and were
communicating with an older version of snare. Everything logged
perfectly. Unfortunately a hardware failure caused loss of the config
file and old syslog server, so I do not have the configuration or
version which worked. My setup notes reference a howto online, which I
followed again.
I use the following destination to log to mysql
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, date,
time, program, msg, username) VALUES ( '$HOST', '$FACILITY',
'$PRIORITY', '$LEVEL','$TAG',
'$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' ,
'$USERNAME' );\n") template-escape(yes));
};
And also this collector script to run the actual mysql client:
#
#!/bin/bash
if [ -e /tmp/mysql.pipe ]; then
while [ -e /tmp/mysql.pipe ]
do
mysql -u syslogusername --password=syslogpassword syslog <
/tmp/mysql.pipe
done
else
mkfifo /tmp/mysql.pipe
fi
I use out of the box filters and destinations to log to the messages
logfile (for debugging at this point)
My problem arises from the fact that for this entry in my messages file:
Nov 20 16:01:14 testserver.mydomain.com FTPSvcLog 3 21:01:11
172.16.5.166 [36863]created /index.htm 226 0
I only get 'FTPsvcLog' written to the messages field in mysql.
I am pretty sure its something obviously wrong but at this point I need
another set of eyes. My gut feeling is the issue stems from the tabs
following FTPSvcLog and the number 3. Any thoughts? Thanks in advance!
Eli
More information about the syslog-ng
mailing list