Thanks for the info. I'll do some more digging and see what I can do. T.
On Thu, Feb 12, 2015 at 9:43 PM, David Lang <[email protected]> wrote: > On Thu, 12 Feb 2015, Tiarnán de Burca wrote: > > Hi, >> >> First time posting, I don't think this has been asked before, but if I >> missed an answer I apologise. >> >> I'm currently logging syslog messages of a cisco callmanager to a mysql DB >> via rsyslog with the following config: >> --- >> $ModLoad imudp >> $UDPServerRun 514 >> $ModLoad ommysql >> >> $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" >> *.* ?FILENAME >> *.* :ommysql:HOSTNAME,Syslog,sysloguser,PASSWORD >> --- >> >> This config logs everything to: >> /var/log/syslog >> /var/log/[IPADDRESS]/syslog.log >> And to my mysql server. >> >> I have one issue, because I'm relaying each message has two date stamps: >> >> Feb 10 08:49:08 192.168.10.9 2372489: Feb 10 09:01:40.753: %LINK-3-UPDOWN: >> Interface FastEthernet0/0, changed state to up >> >> This means that everything gets put in the sql db taking the date stamp >> from the relay and logging the entire log in the 'message' field. >> >> Is there a way to put rsyslog into a 'transparent' mode where it relays >> the >> messages unmodified. >> > > The problemis that the Cisco device you are getting the logs from is not > sending a valid message. the 2372489: in your sample message is not allowed > by the syslog RFCs. > > Rsyslog is trying to figure out what the right thing for this message > should be, and in this case is guessing differently from what you want it > to guess. > > You can alter the template that you used to delvier the message to the > destination, and the %rawmsg% variable is the unmodified data that you > received. But the mysql database isn't wanting you to give it the > unmodified data, it's wanting you to give it separate fields for the time, > hostname, and message (at least), so the template that you create for that > is going to be more complex (and probably include regexes to exatract the > fields, watch out for the fact that there can be a leading space on the > day, i.e. Feb 9) > > The best thing you could do is to figure out how to fix the logs that the > Cisco is generating. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

