Parse syslog messages into separate MySQL tables with rsyslog
from taking a look at this tutorial, I see no difference.
But taking a look at the template documentation from rsyslog, there seems to be a difference with mysql depending on the setting for parameter NO_BACKSLASH_ESCAPES
.
From the docs:
sql - format the string suitable for a SQL statement in MySQL format. This will
replace single quotes ("'") and the backslash character by their backslash-escaped
counterpart ("\'" and "\\") inside each field. Please note that in MySQL
configuration, the NO_BACKSLASH_ESCAPES mode must be turned off for this format to
work (this is the default).
stdsql - format the string suitable for a SQL statement that is to be sent to a
standards-compliant sql server. This will replace single quotes ("'") by two single
quotes ("''") inside each field. You must use stdsql together with MySQL if in MySQL
configuration the NO_BACKSLASH_ESCAPES is turned on.
Related videos on Youtube
efk
Updated on September 17, 2022Comments
-
efk over 1 year
Out of the box rsyslog will dump everything into the
SystemEvents
table within the `Syslog database (if you use the default schema provided). I would like to use a regular expression to filter inbound messages into separate database tables.I've played with this, but I'm having a hard time figuring out the best way to accomplish this (or even a way that functions).
In my rsyslog.conf:
$template wireless, \ "insert into RogueAPs \ (ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message) \ VALUES('%timegenerated%', '%timereported%', '%syslogfacility%', '%syslogpriority%', '%fromhost-ip%', '%msg%');", \ stdsql if $msg contains 'subtype=wireless' then :ommysql:127.0.0.1,Syslog,dbusername,dbpassword;wireless *.* :ommysql:127.0.0.1,Syslog,dbusername,dbpassword
This was my latest attempt, but I'm stuck.
(the RogueAPs table is just a clone of the default SystemEvents table that ships with rsyslog)
Version Info:
shell# /usr/local/sbin/rsyslogd -v rsyslogd 5.5.5, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No FEATURE_NETZIP (message compression): Yes GSSAPI Kerberos 5 support: No FEATURE_DEBUG (debug build, slow code): No Atomic operations supported: Yes Runtime Instrumentation (slow code): No See http://www.rsyslog.com for more information.