On Thu, 12 Feb 2015, Tiarnán de Burca wrote:
Hi,First time posting, I don't think this has been asked before, but if I missed an answer I apologise. I'm currently logging syslog messages of a cisco callmanager to a mysql DB via rsyslog with the following config: --- $ModLoad imudp $UDPServerRun 514 $ModLoad ommysql $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" *.* ?FILENAME *.* :ommysql:HOSTNAME,Syslog,sysloguser,PASSWORD --- This config logs everything to: /var/log/syslog /var/log/[IPADDRESS]/syslog.log And to my mysql server. I have one issue, because I'm relaying each message has two date stamps: Feb 10 08:49:08 192.168.10.9 2372489: Feb 10 09:01:40.753: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up This means that everything gets put in the sql db taking the date stamp from the relay and logging the entire log in the 'message' field. Is there a way to put rsyslog into a 'transparent' mode where it relays the messages unmodified.
The problemis that the Cisco device you are getting the logs from is not sending a valid message. the 2372489: in your sample message is not allowed by the syslog RFCs.
Rsyslog is trying to figure out what the right thing for this message should be, and in this case is guessing differently from what you want it to guess.
You can alter the template that you used to delvier the message to the destination, and the %rawmsg% variable is the unmodified data that you received. But the mysql database isn't wanting you to give it the unmodified data, it's wanting you to give it separate fields for the time, hostname, and message (at least), so the template that you create for that is going to be more complex (and probably include regexes to exatract the fields, watch out for the fact that there can be a leading space on the day, i.e. Feb 9)
The best thing you could do is to figure out how to fix the logs that the Cisco is generating.
David Lang
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
