There are two different issues here, and I think you are mixing them up.
Issue #1, how to parse the log line to get variables from it
Issue #2, how to insert into multiple tables.
for Issue #2, he will need to have multiple templates (or appropriate variables
in templates) and then use the correct template for the type of insert that he
wants to do.
David Lang
On Tue, 18 Feb 2014, Radu Gheorghe wrote:
Hi Rune,
I only have veeeery little experience with mmnormalize, so maybe
others can help you more here.
From what I know, mmnormalize helps you parse your logs into rsyslog
variables. Templates, on the other hand, let you use those variables
(and the ones you get for free with syslog, such as severity) into
however you want your messages to look like (an insert statement).
From this I have two comments:
- there should be no required link between the number of rules you
have and the number of templates. You can have N types of logs, parsed
by N rules, and only have 1 template to format your messages, or the
other way around (use N templates for N different destinations, for a
single type of message)
- maybe it would help you if you'd upgrade to rsyslog 8.x. Not sure if
you already did that, but it should help because you have a much
changed mmnormalize module, using liblognorm v 1.0. Pavel also wrote
some nice docs of it here:
http://rsyslog.github.io/liblognorm/doc/_build/html/
Best regards,
Radu
2014-02-14 12:34 GMT+02:00 Rune Elvemo <[email protected]>:
First: I have problem with a rule for a log line from postfix
An example of a log line:
Feb 12 10:39:01 bp-mta06 postfix/local[4369]: 8ACC51001F0:
to=<[email protected]>, orig_to=<root>, relay=local, delay=0.06,
delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
This is the filter I've written, but it doesn't work:
prefix=%date:date-rfc3164% %hostname:word%
rule=to: postfix/local[%notused:number%]: %mailid:char-to:\x3a%:
to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word%
delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word%
status=%status:word% %2notused3:char-to:)%)
What is causing the problem is this: '%mailid:char-to:\x3a%:'
If I replace it with ''%mailid:word%' I get all the fields I want, but I do
not want the ':' in the mailid field.
Second:
The log data will be stored in a mysql database, with multiple tables (mail,
router, etc.).
In order to do that I need several templates with different insert
statements. One for each table.
I've looked at this page:
http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/,
and it has one rule without a name, and a single $template line.
It seems like there is no 'rule' option (man page rsyslog.conf(5)) for a
'$template' line. Is this correct? If so, how am I going to use several
insert
statements?
Thanks.
--
Med vennlig hilsen
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
