[syslog-ng] escapes in SQL statements (was Re: dbtype in SQL logging)
Zoltán Pallagi
pzolee at balabit.hu
Fri Mar 11 14:27:37 CET 2011
Hm... it's a bug in syslog-ng. We already found it in PE before, Bazsi
should port the fix back to OSE.
On 2011-03-11 13:35, Hendrik Visage wrote:
> Okay, now that I have the "" -> Null replacements, now I have another
> escape issue.
>
> Making use of Postgresql's bigserial, it reads:
> <qoute
> http://www.postgresql.org/docs/9.0/interactive/datatype-numeric.html#DATATYPE-SERIAL>
> To insert the next value of the sequence into the serial column,
> specify that the serial column should be assigned its default value.
> This can be done either by excluding the column from the list of
> columns in the INSERT statement, or through the use of the DEFAULT key
> word.
> </quote>
>
> Which means I have to have *no* quotes, which the syslog-ng enforces :(
>
> destination d_pgsql {
> sql(type(pgsql)
> host("127.0.0.1") username("logwriter") password("logwriter")
> port("5432")
> database("syslog") table("SystemEvents")
> columns("ID bigserial primary key","ReceivedAt timestamptz NULL",
> "DeviceReportedTime timestamptz NULL",
> "Facility smallint NULL","Priority smallint NULL","FromHost
> varchar(60) NULL",
> "Message text","InfoUnitID int NULL","SysLogTag varchar(60)",
> "CustomerID bigint","NTSeverity int NULL","Importance int
> NULL","EventSource varchar(60)","EventUser varchar(60) NULL",
> "EventCategory int NULL","EventID int NULL","EventBinaryData text
> NULL","MaxAvailable int NULL","CurrUsage int NULL","MinUsage int NULL",
> "MaxUsage int NULL","EventLogType varchar(60)","GenericFileName
> VarChar(60)","SystemID int NULL")
> values(DEFAULT,"$R_ISODATE",
> "$S_ISODATE","$FACILITY_NUM","$LEVEL_NUM","$HOST",
> "$MSGONLY","1","$MSGHDR","","","","","","","","","","","","","","","")
> indexes("ID","ReceivedAt","Facility","Priority","FromHost","SysLogTag",)
> null(""));
> };
>
>
>
> Running SQL query; query='INSERT INTO SystemEvents (ID, ReceivedAt,
> DeviceReportedTime, Facility, Priority, FromHost, Message, InfoUnitID,
> SysLogTag, CustomerID, NTSeverity, Importance, EventSource, EventUser,
> EventCategory, EventID, EventBinaryData, MaxAvailable, CurrUsage,
> MinUsage, MaxUsage, EventLogType, GenericFileName, SystemID) VALUES
> (\'DEFAULT\', \'2011-03-11T14:14:12+02:00\',
> \'2011-03-11T11:12:37+02:00\', \'20\', \'6\', \'betvmi01\',
> \'[2011-03-11 11:12:37.565 11AA6B90 verbose \'\'App\'\'] [VpxaVMAP]
> CheckThreshold percent changes (0,0,0,0) - threshold 5\', \'1\',
> \'Vpxa: \', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, NULL, NULL, NULL, NULL)'
> Error running SQL query; type='pgsql', host='127.0.0.1', port='5432',
> user='logwriter', database='syslog', error='*ERROR: invalid input
> syntax for integer: "DEFAULT"*\x0aLINE 1: ... EventLogType,
> GenericFileName, SystemID) VALUES
> (\'DEFAULT\',...\x0a
> ^\x0a', query='INSERT INTO SystemEvents (ID, ReceivedAt,
> DeviceReportedTime, Facility, Priority, FromHost, Message, InfoUnitID,
> SysLogTag, CustomerID, NTSeverity, Importance, EventSource, EventUser,
> EventCategory, EventID, EventBinaryData, MaxAvailable, CurrUsage,
> MinUsage, MaxUsage, EventLogType, GenericFileName, SystemID) VALUES
> (\'DEFAULT\', \'2011-03-11T14:14:12+02:00\',
> \'2011-03-11T11:12:37+02:00\', \'20\', \'6\', \'betvmi01\',
> \'[2011-03-11 11:12:37.565 11AA6B90 verbose \'\'App\'\'] [VpxaVMAP]
> CheckThreshold percent changes (0,0,0,0) - threshold 5\', \'1\',
> \'Vpxa: \', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, NULL, NULL, NULL, NULL)'
>
> AS long as there is now escapes for the DEFAULT, then it "works":
>
> syslog=# INSERT INTO SystemEvents (ID, ReceivedAt, DeviceReportedTime,
> Facility, Priority, FromHost, Message, InfoUnitID, SysLogTag,
> CustomerID, NTSeverity, Importance, EventSource, EventUser,
> EventCategory, EventID, EventBinaryData, MaxAvailable, CurrUsage,
> MinUsage, MaxUsage, EventLogType, GenericFileName, SystemID) VALUES
> (DEFAULT, '2011-03-11T14:10:18+02:00', '2011-03-11T11:08:43+02:00',
> '20', '6', 'betvmi01', '[2011-03-11 11:08:43.522 11921B90 verbose
> ''App''] [VpxaVMAP::Invoke] Command returned successfully', '1',
> 'Vpxa: ', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, NULL, NULL, NULL);
> INSERT 0 1
> syslog=#
>
> On Tue, Feb 22, 2011 at 12:59 PM, Zoltán Pallagi <pzolee at balabit.hu
> <mailto:pzolee at balabit.hu>> wrote:
>
> Try this:
> columns("datetime varchar(16)", "host varchar(32)", "program
> varchar(16)", "pid varchar(4) default null", "message varchar")
> values("$R_DATE", "$HOST", "$PROGRAM", "$PID", "$MSG")
>
> indexes("datetime", "host", "program", "pid", "message")
> null(""));
>
> null(): If the content of a column matches the string specified in
> the /|null()|/ parameter, the contents of the column will be
> replaced with an SQL NULL value
>
> It worked for me:
>
> Incoming log entry; line='<166>Feb 22 08:38:59 Vpxa: HostChanged
> Event Fired, properties changed []'
> Running SQL query; query='INSERT INTO
> t2105010221cdb33661c82e91cb0b (datetime, host, program, pid,
> message) VALUES (\'Feb 22 11:50:17\', \'thor-t410\', \'Vpxa\',
> NULL, \'HostChanged Event Fired, properties changed []\')'
>
> Ofc, you can use integer type for pid, but this is a string and
> not an integer.
>
>
> On 2011-02-22 10:57, Hendrik Visage wrote:
>> Hi there,
>>
>> Okay, looks like I was looking/thinking about something else, so
>> lets explain my problem.
>>
>> I want the pid inseted to be a "proper" number/integer, not a
>> string/character, and the fun starts with several of my sources
>> not having a pid entry, thus that field I would like to be filled
>> with NULL values. However, it still gets escaped, and when it
>> gets escaped, the NULL is not null anymore, but the string 'NULL' :(
>>
>> I was hoping that in some why I could coerce syslog-ng to
>> understand that that column is a integer column, thus should not
>> be escaped as it is currently done ;(
>>
>> I have the following destination:
>> destination d_pgsql {
>> sql(type(pgsql)
>> host("127.0.0.1") username("logwriter") password("logwriter")
>> port("5432")
>> database("syslog")
>> table("logs_${HOST}_${R_YEAR}${R_MONTH}${R_DAY}") #or whatever
>> you want, example ${HOST}" for hosts, ${LEVEL}" for levels.. etc
>> columns("datetime varchar(16)", "host varchar(32)", "program
>> varchar(16)", "pid varchar(8) default null", "message varchar")
>> values("$R_DATE", "$HOST", "$PROGRAM", "${PID:-NULL}", "$MSG")
>> indexes("datetime", "host", "program", "pid", "message"));
>> };
>>
>> and the following log lines:
>>
>> Incoming log entry; line='<166>Feb 22 08:38:59 Vpxa: [2011-02-22
>> 08:38:59.862 1B7A7B90 verbose \'App\'] [VpxaHalServices]
>> HostChanged Event Fired, properties changed []'
>> Running SQL query; query='INSERT INTO logs_somedevice_20110222
>> (datetime, host, program, pid, message) VALUES (\'Feb 22
>> 11:39:27\', \'somedevice\', \'Vpxa\', \'NULL\', \'[2011-02-22
>> 08:38:59.862 1B7A7B90 verbose \'\'App\'\'] [VpxaHalServices]
>> HostChanged Event Fired, properties changed []\')'
>>
>>
>> ______________________________________________________________________________
>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110311/493af415/attachment-0001.htm
More information about the syslog-ng
mailing list