rsyslog filtering syslog messages
Hello there,
I have problem with rsyslog, for filtering syslog messages with regex and then write them on mysql database. rsyslog.conf file format is following: :msg, regex, "ASA-0" :ommysql:127.0.0.1,Syslog,rsyslog,password So i am trying to write all syslog messages containing ASA-0 to mysql database, but unfortunately it isn’t working, all messages are written in database. Rsyslog version is 4.6.4. |
Shouldn't you be using something like :hostname,contains,"ASA-0":ommysql:database-address,database-name,database-userid,database-password?
|
Hello unSpawn,
I have already trued your mentioned configuration but it isn't working. I have observed very strange operation of rsyslog, even when i have removed all statements of: *.* :ommysql:database-address,database-name,database-userid,database-password log messages are always written to database. If I unload module only the it stops writing syslog to database. |
You probably need to drop ASA-0 after you log to the database, something like
Code:
:hostname,contains,"ASA-0" ~ Code:
if $hostname contains 'ASA-0' then :ommysql:database-address,database-name,database-userid,database-password |
Hire is configuration file. Hire I wont to discard any logs that contains ASA-7, and anything other to write into database.
Quote:
Quote:
|
You posted a rsyslog configuration file which:
- doesn't show the rule you posted in your OP, - doesn't show any trace of what I wrote about in my replies, - discards any "ASA-7" message before it hits the database filter and - logs any facility / priority pair (*.*) to database. Here's what you should do / show: - check your ASA "logging" for its "facility" setting: it may default to "20", the equivalent of the "local4" facility, so if nothing else uses that you could use it as filter in Rsyslog. - then apply any ASA filter, - then drop ASA items after the filter rule, - then proceed processing other logs. Then test and post back the result (as in 'grep -v ^# /etc/rsyslog.conf|grep .;'). |
Hello unSpawn,
Can you please explain or show documentation which describes order of how rsyslog works with property based filters. For this rule configuration: :msg, regex, "ASA-7" ~ *.* mmysql:127.0.0.1,Syslog,rsyslog,password I was hoping that at first time rsyslog will discards all debugging syslog messages, and all others are written in database ? How does it process with property based filters, does it process subsequently? Quote:
|
Basics: http://www.rsyslog.com/doc/rsyslog_conf.html
Writing and discarding: http://www.rsyslog.com/writing-speci...scarding-them/ Examples: http://wiki.rsyslog.com/index.php/Configuration_Samples Filtering: http://www.rsyslog.com/doc/rsyslog_conf_filter.html (property-based filters halfway down the page) |
After reading before mentioned documents, I could't understand why this filter rules don't work ?
:msg, regex, "ASA-7" ~ *.* mmysql:127.0.0.1,Syslog,rsyslog,password I expect that this two rules won't write into database logs that contains ASA-7 string in message body. But they don't work, messages that contain ASA-7 still are written into database. Can you please explain why it don't work ? Quote:
|
Your initial question was:
Quote:
Code:
:hostname,contains,"ASA-0" :ommysql:127.0.0.1,Syslog,rsyslog,password Code:
:hostname,contains,"ASA-0" ~ Code:
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password |
Hello,
After implementing following configuration. Code:
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password Quote:
|
Dunno. Haven't seen your modified rsyslog.conf.
|
Hire is modified config file.
Code:
$ModLoad imuxsock # provides support for local system logging Quote:
|
Some possibilities:
- Instead of ":msg,regex" test ":hostname,contains" or "syslogtag,contains" (after all I'm not sure it even is a hostname tag), - Instead of ":msg, regex, "ASA-0" ~" try "& ~", - Check your Cisco machine for its log facility and use that (post #6) instead of a regex, - See if a convoluted if-something-else filter would do the job, - Check the vendor for improvements in the ommysql output module and if necessary upgrade. They're at version major 7 BTW. - Debug the hell out of Reyslogd (http://www.rsyslog.com/doc/debug.html), or else ask in the rsyslog mailing list. |
All times are GMT -5. The time now is 10:18 AM. |