[syslog-ng] Logging only if phrase found
Gergely Nagy
algernon at balabit.hu
Wed May 18 00:16:01 CEST 2011
Sebastian Deißner <sebastian at debianfan.de> writes:
> options {
> chain_hostnames(off);
> sync(0);
> stats(43200);
> };
>
> source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
>
> destination d_mysql {
> program("/usr/bin/mysql --user=syslogfeeder
> --password=SuperPassWord syslog" template("INSERT INTO logs (host,
> facility, priority, level, tag, datetime, program, msg) VALUES (
> '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY
> $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n")
> template-escape(yes)); };
>
> destination messages { file("/var/log/messages"); };
>
> log {
> source(src);destination(messages); destination(d_mysql);
> };
>
> I want to have only the entries in my log database, that contain a
> specific phrase, for example all the entries with "...connect..."
>
>
> Is this possible with syslog-ng?
Yes, it is. You can use filters, somewhat like this:
filter f_connect {
message("*connect*" type(glob));
};
You can use regular expressions in the filter too - just remove the
type(glob) part then.
And then add filter(f_connect); to your log block:
log {
source(src);
destination(messages);
filter(f_connect);
destination(d_mysql);
};
This will log all messages to the messages destination, but only
filtered ones to mysql. As far as I understand it, anyway. I usually use
separate log blocks:
log {
source(src);
destination(messages);
};
log {
source(src);
filter(f_connect);
destination(d_mysql);
};
--
|8]
More information about the syslog-ng
mailing list