使用rsyslog将syslog消息解析为单独的MySQL表


10

开箱即用,rsyslog会将所有内容转储到SystemEventsSyslog数据库内的表中(如果使用提供的默认模式)。我想使用正则表达式将入站消息过滤到单独的数据库表中。

我已经玩过这个游戏了,但是我很难找出最好的方法来做到这一点(甚至是起作用的方法)。

在我的rsyslog.conf中:

$template wireless, \
 "insert into RogueAPs \
 (ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message) \
 VALUES('%timegenerated%', '%timereported%', '%syslogfacility%', '%syslogpriority%', '%fromhost-ip%', '%msg%');", \ 
 stdsql

if $msg contains 'subtype=wireless' then :ommysql:127.0.0.1,Syslog,dbusername,dbpassword;wireless

*.* :ommysql:127.0.0.1,Syslog,dbusername,dbpassword

这是我的最新尝试,但我遇到了麻烦。

(RogueAPs表只是rsyslog附带的默认SystemEvents表的克隆)


版本信息:

shell# /usr/local/sbin/rsyslogd -v
rsyslogd 5.5.5, compiled with:
        FEATURE_REGEXP:                         Yes
        FEATURE_LARGEFILE:                      No
        FEATURE_NETZIP (message compression):   Yes
        GSSAPI Kerberos 5 support:              No
        FEATURE_DEBUG (debug build, slow code): No
        Atomic operations supported:            Yes
        Runtime Instrumentation (slow code):    No

See http://www.rsyslog.com for more information.

Answers:


1

看一下教程,我看不出有什么不同。

但是看一下rsyslog中的模板文档,取决于参数的设置,mysql与mysql似乎有所不同NO_BACKSLASH_ESCAPES

从文档:

sql - format the string suitable for a SQL statement in MySQL format. This will 
replace single quotes ("'") and the backslash character by their backslash-escaped
counterpart ("\'" and "\\") inside each field. Please note that in MySQL
configuration, the NO_BACKSLASH_ESCAPES mode must be turned off for this format to
work (this is the default).

stdsql - format the string suitable for a SQL statement that is to be sent to a
standards-compliant sql server. This will replace single quotes ("'") by two single
quotes ("''") inside each field. You must use stdsql together with MySQL if in MySQL
configuration the NO_BACKSLASH_ESCAPES is turned on.

0

不幸的是,rsyslog文档在某些方面并不十分完整或不容易理解。过去几周,我在rsyslog / MySQL / regex上花费了大量时间。

您可以张贴您要进行正则表达式匹配的日志行的示例,您希望其进入的表的架构等吗?您发布的内容似乎应该可以正常工作...您要过滤掉什么?并且默认模式对您有用吗?

附带一提,我不禁注意到您正在使用名为RogueAPs的表。我不知道您使用的是哪个供应商,但是我有用于来自Meru Networks和BlueSocket控制器的身份验证日志消息的正则表达式规则。

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.