Hi! I’m using rsyslog 5.8.11 (Debian/Testing) and loganalyzer 3.5.5.
I’m storing my syslog messages in a PostgreSQL database. When I tried loganalyzer, the view „Syslog Fields” didn’t work, because the column processid was missing.
I found http://wiki.rsyslog.com/index.php/LogAnalyzer_Use_cases and was able to create the missing column. To get it filled I changed the PostgreSQL template according to the web page.
Old default template:
"insert into SystemEvents (Message, Facility, FromHost, Priority,
DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%,
'%HOSTNAME%', %syslogpriority%, '%timereported:::date-pgsql%',
'%timegenerated:::date-pgsql%', %iut%, '%syslogtag%')",STDSQL
My new template:
"INSERT INTO SystemEvents (Message, Facility, FromHost, Priority,
DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values ('%msg%',
%syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-pgsql%',
'%timegenerated:::date-pgsql%', %iut%, '%programname%',
'%procid:R,ERE,0,ZERO:[0-9]+--end%')",STDSQL
Everything is working now, but what I don’t like is that the content of
the column SysLogTag is reduced to „%programname%”. This means now, that
for Postfix the old messages like „postfix/anvil[30902]” or
„postfix/postscreen[31699]” are reduced to „postfix”.
Can someone help me how I can change the template to get the content „postfix/anvil”?
Thanks for your help!
Stephan
PS: If I use the template RSYSLOG_SyslogProtocol23Format for the logfiles
I have the same problem with Postfix. This breaks analyzing software like
mailgraph.
-- | Stephan Seitz E-Mail: [email protected] | | Public Keys: http://fsing.rootsland.net/~stse/keys.html |
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
