Re: [rsyslog] Rsyslog, PostgreSQL, loganalyzer, and processid

Mon, 20 Aug 2012 03:49:36 -0700 

This should do the trick:

"INSERT INTO SystemEvents (Message, Facility, FromHost, Priority, 
DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values 
('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, 
'%timereported:::date-pgsql%', '%timegenerated:::date-pgsql%', %iut%, 
'%syslogtag%', '%procid:R,ERE,0,ZERO:[0-9]+--end%')",STDSQL

All fields can be found at:
http://www.rsyslog.com/doc/property_replacer.html

HTH
Rainer

> -----Original Message-----
> From: [email protected] [mailto:rsyslog-
> [email protected]] On Behalf Of Stephan Seitz
> Sent: Sunday, August 19, 2012 9:58 PM
> To: rsyslog-users
> Subject: [rsyslog] Rsyslog, PostgreSQL, loganalyzer, and processid
> 
> Hi!
> 
> I’m using rsyslog 5.8.11 (Debian/Testing) and loganalyzer 3.5.5.
> 
> I’m storing my syslog messages in a PostgreSQL database. When I tried
> loganalyzer, the view „Syslog Fields” didn’t work, because the column
> processid was missing.
> 
> I found http://wiki.rsyslog.com/index.php/LogAnalyzer_Use_cases and was
> able to create the missing column. To get it filled I changed the PostgreSQL
> template according to the web page.
> 
> Old default template:
> "insert into SystemEvents (Message, Facility, FromHost, Priority,
> DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%',
> %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-
> pgsql%', '%timegenerated:::date-pgsql%', %iut%, '%syslogtag%')",STDSQL
> 
> My new template:
> "INSERT INTO SystemEvents (Message, Facility, FromHost, Priority,
> DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values
> ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%,
> '%timereported:::date-pgsql%', '%timegenerated:::date-pgsql%', %iut%,
> '%programname%', '%procid:R,ERE,0,ZERO:[0-9]+--end%')",STDSQL
> 
> Everything is working now, but what I don’t like is that the content of the
> column SysLogTag is reduced to „%programname%”. This means now, that
> for Postfix the old messages like „postfix/anvil[30902]” or
> „postfix/postscreen[31699]” are reduced to „postfix”.
> 
> Can someone help me how I can change the template to get the content
> „postfix/anvil”?
> 
> Thanks for your help!
> 
>       Stephan
> 
> PS: If I use the template RSYSLOG_SyslogProtocol23Format for the logfiles I
> have the same problem with Postfix. This breaks analyzing software like
> mailgraph.
> 
> --
> | Stephan Seitz          E-Mail: [email protected] |
> | Public Keys: http://fsing.rootsland.net/~stse/keys.html |
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

Reply via email to