Difference between revisions of "Talk:Syslog-ng"

From ArchWiki
Jump to: navigation, search
(Typo in Shorewall config?)
(Directly to SQL: new section)
Line 29: Line 29:
 
I believe the identifiers are switched. I have switched them to what I think they are intended to be.
 
I believe the identifiers are switched. I have switched them to what I think they are intended to be.
 
[[User:nuclearsandwich|nuclearsandwich]] 14:58, 26 February 2011 (PST)
 
[[User:nuclearsandwich|nuclearsandwich]] 14:58, 26 February 2011 (PST)
 +
 +
== Directly to SQL ==
 +
 +
I notice that we still aren't running syslog-ng with --enable-sql (should be a trivial change at some point) but thought I would populate some basic options that will work well in the wiki when available.
 +
 +
This config is only valid for 3.2 and up (Current as of this writing in Arch is 3.3.4.5).
 +
 +
Taken directly from http://pzolee.blogs.balabit.com/2010/10/syslog-ng-example-configurations/
 +
 +
<code>
 +
@version: 3.2
 +
source s_file{file("/var/log/inputfile*.log" follow-freq(1));};
 +
destination d_sql {
 +
  sql(
 +
    type("mysql")
 +
    host("10.100.20.46")
 +
    username("test_user")
 +
    password("password")
 +
    database("test_db")
 +
    table("testtable-$YEAR-$MONTH-$DAY")
 +
    columns("insert_time int", "date_time varchar(32)", "facility int", "priority int", "host varchar(255)", "program varchar(64)", "pid int", "message varchar(4000)")
 +
    values("${R_UNIXTIME}", "${S_YEAR}-${S_MONTH}-${S_DAY} ${S_HOUR}:${S_MIN}:${S_SEC}", "$FACILITY_NUM", "$LEVEL_NUM", "$HOST", "$PROGRAM", "${PID:-0}", "$MSGONLY")
 +
    indexes("insert_time", "date_time", "facility", "host", "program")
 +
  );
 +
};
 +
log{
 +
  source (s_file);
 +
  destination (d_sql);
 +
};
 +
</code>

Revision as of 23:32, 25 April 2012

after the example syslog-ng.conf, and aside from the timestamps and remote loghost tips, most of this article has been adapted from the gentoo wiki page for syslog-ng.conf .. FYI

So yes it needs updating for arch please

AskApache 22:19, 14 September 2010 (EDT)

Is match() example right?

The example:

 filter f_failed { match("regex" value("failed")); };

is in my opinion bad.

List of supported values in value() should be: "HOST", "HOST_FROM", "MESSAGE", "PROGRAM", "PID", "MSGID" and "SOURCE".

More info: https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012789.html

Better example could be:

 filter f_grsecurity { match("^grsec" value("MESSAGE")); };

This is real/working example from my syslog-ng config.

Tojaj 16:39, 8 February 2011 (EST)

Reversal typo in Shorewall examples

The example:

 filter f_shorewall { not match("regex" value("Shorewall")); };                  # Filter everything except regex keyword Shorewall
 filter f_noshorewall { match("regex" value("Shorewall")); };                    # Filter regex keyword Shorewall

I believe the identifiers are switched. I have switched them to what I think they are intended to be. nuclearsandwich 14:58, 26 February 2011 (PST)

Directly to SQL

I notice that we still aren't running syslog-ng with --enable-sql (should be a trivial change at some point) but thought I would populate some basic options that will work well in the wiki when available.

This config is only valid for 3.2 and up (Current as of this writing in Arch is 3.3.4.5).

Taken directly from http://pzolee.blogs.balabit.com/2010/10/syslog-ng-example-configurations/

@version: 3.2 source s_file{file("/var/log/inputfile*.log" follow-freq(1));}; destination d_sql {

 sql(
   type("mysql")
   host("10.100.20.46")
   username("test_user")
   password("password")
   database("test_db")
   table("testtable-$YEAR-$MONTH-$DAY")
   columns("insert_time int", "date_time varchar(32)", "facility int", "priority int", "host varchar(255)", "program varchar(64)", "pid int", "message varchar(4000)")
   values("${R_UNIXTIME}", "${S_YEAR}-${S_MONTH}-${S_DAY} ${S_HOUR}:${S_MIN}:${S_SEC}", "$FACILITY_NUM", "$LEVEL_NUM", "$HOST", "$PROGRAM", "${PID:-0}", "$MSGONLY")
   indexes("insert_time", "date_time", "facility", "host", "program")
 );

}; log{

 source (s_file);
 destination (d_sql);

};