On Mon, 6 Oct 2014, Rainer Gerhards wrote:
Sent from phone, thus brief.
Am 06.10.2014 19:43 schrieb "David Lang" <[email protected]>:
On Mon, 6 Oct 2014, Balint Szigeti wrote:
On Mon, 2014-10-06 at 06:31 -0700, David Lang wrote:
On Mon, 6 Oct 2014, Balint Szigeti wrote:
Yes, the insert command to MySQL can be anything that you want (by
setting the
format), and you can have different conditions to write different
formats.
look at http://www.rsyslog.com/doc/ommysql.html for the template
example.
David Lang
and how can you do it? you should specified in a template the order of
cells and you can use only one template for one action. Yes, you can
separate them according to syslog tag but the rsyslog doesn't create
automatically the table even it has the proper credentials.
What is your question?
My question is, how it possible it to use 2nd normal form with rsyslog.
I think currently it is impossible.
Ok, i'm not understanding what you mean by "2nd normal form"
http://en.m.wikipedia.org/wiki/Database_normalization
even with that reference, the question still arises. Remember that a log message
has very few official pieces of data to deal with (source machine, timestamp,
programname, priority, and everything else is one blob)
when you start talking about wanting to organize data, you are almost certinly
talking about first parsing apart the message blob and then doing things with
that data. If only because tring to talk about 2nd normal form with just the
official pieces ends up being pretty meaningless.
You have to first talk about what you choose to use as your candidate key.
Without parsing a log message, the only thing you really have is <hostname,
timestamp> (and even there, you are dependent on the sending machine setting the
timestamp to sufficient precision to not have any duplicates)
Now, once you start parsing apart the message field, you can have a lot of
different ways to do things, depending on what is in the message field, and how
you choose to parse it.
Which gets back to the question about what the OP is actually trying to do.
with the ability to do conditionals and set variables (including variables
device via format strings), it's possible to craft some pretty complex SQL
commands. Leveraging capabilities in the database (such as stored procedures,
which I belive MySQL now has), you can do an incredible amount of stuff.
David Lang
The key thing is that rsyslog is primarily a log processing system, not a
dbms. You can, however normalize your tables and craft configurations that
put different message parts into different tables. Depending on what you
intend to do, its probably easier to write a plugin, e.g. in python.
Rainer
David Lang
you create the table before you start sending logs to the database.
you are correct that you can only have one template in an action, but
since you
can define conditions on when that action is used, you just define your
different templates and use the conditions to decide which one to use.
thank you. that was my idea as well.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
