rsyslog configuration with mysql tables !

shipon_97 · 06-12-2016, 04:45 AM

Dear Friends,

I have to configure rsyslog server for creating centralized log monitoring purpose using mysql database . I am using the below link to configure :

https://ciscoskills.net/2014/06/11/i...on-centos-6-5/

My rsylog configuration for mysql DB :
----------------------------------------------
###mysql
$ModLoad ommysql.so
*.*

mmysql:127.0.0.1,Syslog,rsyslog,rsyslog
-------------------------------------------------
At present , all information goes to a single table using a single database .

Now I have a requirement :
Since I have 3 environment for keeping logs , Network Router , Linux OS and windows . I wanna keep this 3 logs onto 3 different tables under one database .

How can I configure it ?

Also I need to know what are the benefits using rsyslog template ?

Need your kind assistance please ...

jpollard · 06-12-2016, 08:30 AM

Change the program to put it into different tables....

As always, you need to show what you are doing.

The benefit of using the template is that you get what you want.

Habitual · 06-12-2016, 10:38 AM

Rsyslog has a createDB script in the following location: /usr/share/doc/rsyslog-mysql-8.2.1/createDB.sql, you can leave this alone or you can optionally change the database name. says your link.

Does not say you can change the tables.
I'd say follow the directions.

Good Luck.

shipon_97 · 06-12-2016, 11:02 AM

I wanna use multiple table under a single database .
would you please tell in brief.

Habitual · 06-12-2016, 05:57 PM

Quote:

Originally Posted by shipon_97

I wanna use multiple table under a single database .
would you please tell in brief.

Don't repeat yourself.

Have a look at /usr/share/doc/rsyslog-mysql-8.2.1/createDB.sql and see how the one you have now is constructed.

Look for "create table" statements
Can you handle that?

shipon_97 · 06-13-2016, 03:07 AM

Thx .

I create another table and put data onto it using rsyslog Template , like below way :

==========================================================================================
cat /etc/rsyslog.conf

$ModLoad ommysql.so
$ModLoad imuxsock
$ModLoad ommysql
$ModLoad imtcp
$ModLoad imudp

if ($FromHost == '192.168.1.41' ) then

mmysql:127.0.0.1,Syslog,rsyslog,rsyslog; hotmpl
if ($FromHost == '192.168.0.87') then

mmysql:127.0.0.1,Syslog,rsyslog,rsyslog; hotmp2

#Templates
$template hotmp1,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL

$template hotmp2,"insert into windows (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
================================================================

Now in this case , i get error on '/var/log/messages' :

-------Error-----------
Jun 15 18:13:35 oem rsyslogd:could not load module '/usr/lib64/rsyslog/imuxsock', dlopen: /usr/lib64/rsyslog/imuxsock: cannot open shared object file: No such file or directory
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 61
Jun 15 18:13:35 oem rsyslogd:could not load module '/usr/lib64/rsyslog/ommysql', dlopen: /usr/lib64/rsyslog/ommysql: cannot open shared object file: No such file or directory
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 62
Jun 15 18:13:35 oem rsyslogd:could not load module '/usr/lib64/rsyslog/imtcp', dlopen: /usr/lib64/rsyslog/imtcp: cannot open shared object file: No such file or directory
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 63
Jun 15 18:13:35 oem rsyslogd:could not load module '/usr/lib64/rsyslog/imudp', dlopen: /usr/lib64/rsyslog/imudp: cannot open shared object file: No such file or directory
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 64
Jun 15 18:13:35 oem rsyslogd:invalid or yet-unknown config file command - have you forgotten to load a module?
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 65
Jun 15 18:13:35 oem rsyslogd:unknown facility name "if"
Jun 15 18:13:35 oem rsyslogd:the last error occured in /etc/rsyslog.conf, line 76
Jun 15 18:13:35 oem rsyslogd:warning: selector line without actions will be discarded
Jun 15 18:13:35 oem kernel: rklogd 2.0.6, log source = /proc/kmsg started.
--------------------------------------------------------------------------------------

Would anybody please help me How I can I resolve this error .

Here I mention that I am using built-in rsyslog package for my linux server (Red Hat Enterprise Linux Server release 5.4 (Tikanga))

Habitual · 06-13-2016, 03:13 AM

Good luck with that.