[syslog-ng] Store syslog occurrence frequency instead of adding all of them to the DB

syslogng at feystorm.net syslogng at feystorm.net
Fri Aug 19 16:00:22 CEST 2011 

The idea that was mentioned is not without its flaws.
Firstly say you receive a message on the 1st, then you receive the same 
message on the 10th, you would lose all record that the message was 
received on the 1st as date on it would be modified to the most recent 
occurance of the message. The ideal example would be to only merge 
multiple occurrences of the message when they appear sequentially with 
no other messages between them.
Secondly using a 32-bit checksum of the message text to determine 
uniqueness is risky. It would be farily easy to end up with 2 different 
messages that have the same checksum. A md5 checksum would be much 
better, but I dont believe syslog-ng has a function to compute md5 sums.
Lastly the table key needs to be modified so the host name is part of 
it. As it is with the way martin mentioned, if 2 hosts get the same 
message, the latter one will update the timestamp of the first host's 
message making it look like the second host never had such a message at 
all, and that the first host got it twice.

The idea holds merit, and if these issues are fine with you, then it 
should work. But syslog-ng already merges sequential duplicate messages 
when logging to files, so it'd probably be fairly trivial to port this 
functionality over to the sql driver. I'd make a feature request on the 
bug tracker.

-Patrick

Sent: Fri Aug 19 2011 02:11:45 GMT-0600 (MST)
From: Marcos Tang <marcostang2002 at yahoo.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>, Martin Holste <mcholste at gmail.com>
Subject: Re: [syslog-ng] Store syslog occurrence frequency instead of 
adding    all of them to the DB
> Hi Martin & Florian,
> I am not good at SQL and I have the following table right now. Do you 
> mean my current table also needs to merge with your table to form one 
> single table?
> What is the corresponding syslog-ng.conf file which I should modify to 
> fit for your table?
> Once again, thanks for your suggestions for me.
> mysql> desc logs;
> +----------+------------------+------+-----+---------+----------------+
> | Field    | Type             | Null | Key | Default | Extra          |
> +----------+------------------+------+-----+---------+----------------+
> | host     | varchar(32)      | YES  | MUL | NULL    |                |
> | facility | varchar(10)      | YES  | MUL | NULL    |                |
> | priority | varchar(10)      | YES  | MUL | NULL    |                |
> | level    | varchar(10)      | YES  |     | NULL    |                |
> | tag      | varchar(10)      | YES  |     | NULL    |                |
> | date     | date             | YES  | MUL | NULL    |                |
> | time     | time             | YES  | MUL | NULL    |                |
> | program  | varchar(15)      | YES  | MUL | NULL    |                |
> | msg      | text             | YES  |     | NULL    |                |
> | seq      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
> +----------+------------------+------+-----+---------+----------------+
> 10 rows in set (0.00 sec)
>
>
> Regards,
> Marcos
>
> --- On *Fri, 8/19/11, Martin Holste /<mcholste at gmail.com>/* wrote:
>
>
>     From: Martin Holste <mcholste at gmail.com>
>     Subject: Re: [syslog-ng] Store syslog occurrence frequency instead
>     of adding all of them to the DB
>     To: "Syslog-ng users' and developers' mailing list"
>     <syslog-ng at lists.balabit.hu>
>     Cc: "Marcos Tang" <marcostang2002 at yahoo.com>
>     Date: Friday, August 19, 2011, 4:10 AM
>
>     I'd add on to this by using a crc function to hash the message and
>     store that in a column to make the unique check very fast:
>     CREATE TABLE mylogs (
>       id BIGINT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
>       timestamp TIMESTAMP NOT NULL,
>       crc INT UNSIGNED NOT NULL,
>       count INT UNSIGNED NOT NULL DEFAULT 0,
>       msg TEXT,
>       UNIQUE KEY (crc)
>     );
>     INSERT INTO mylogs (timestamp, crc, msg) values($timestamp,
>     CRC32($msg),
>     $msg) ON DUPLICATE KEY UPDATE count=count+1, timestamp=$timestamp;
>
>     On Thu, Aug 18, 2011 at 1:33 PM, system at ra-schaal.de
>     <http://us.mc1121.mail.yahoo.com/mc/compose?to=system@ra-schaal.de>
>     <system at ra-schaal.de
>     <http://us.mc1121.mail.yahoo.com/mc/compose?to=system@ra-schaal.de>>
>     wrote:
>     > Am 18.08.2011 19:52, schrieb Marcos Tang:
>     >
>     >> Can those records being "processed" some how and when I search
>     the MySQL
>     >> DB, I only see ONE record list the following only?
>     >>
>     >> Total occurrenceMessage content
>     >> =====================
>     >> 14,400File system is full
>     >>
>     >
>     > can´t you use something like
>     >
>     > INSERT INTO tables VALUES (date,logstring) ON duplicate KEY
>     UPDATE date;
>     >
>     > ?
>     >
>     > florian
>     >
>     ______________________________________________________________________________
>     > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     > Documentation:
>     http://www.balabit.com/support/documentation/?product=syslog-ng
>     > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>     >
>     >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110819/3e40dc3e/attachment-0001.htm

More information about the syslog-ng mailing list