MonitorWare Knowledge Base

I am using rsyslog version 3.14 and the phplogcon version 2.1.0 which supports logfile, however after install I find that all the log entries end up under the column for message. Nothing is under Date, Facility, Severity, Host or Syslogtab. This is happening on Centos 4.

I don't know if this has anything to do with the fact the rsyslog v3 date is in long format.

I will be very grateful if any one can tell me where to fix this.

Thanks

I talked to Andre on the different date formats, but maybe it has slipped his attention. I, too, standyb for his response (but I have to admit yht aour analysis looks quite convincing).

Rainer

Hi ide,

if you could send as some sample lines from your syslog file, I can look into them and find out why they aren't parsed properly.

regards,
Andre

Below is some sample lines from our syslog host.
We use it as a central logging system to log both the routers/switches and the firewall.

******************************************************************************************

2008-04-27T04:02:27-04:00 cmpsvr kernel: imklog 3.14.2, log source = /proc/kmsg started.
2008-04-27T04:02:27-04:00 cmpsvr kernel: Inspecting /boot/System.map-2.6.9-55.0.2.EL
2008-04-27T04:02:28-04:00 cmpsvr kernel: Loaded 24080 symbols from /boot/System.map-2.6.9-55.0.2.EL.
2008-04-27T04:02:28-04:00 cmpsvr kernel: Symbols match kernel version 2.6.9.
2008-04-27T04:02:42-04:00 cmpsvr kernel: Loaded 9698 symbols from 28 modules.
2008-04-27T04:02:42.992883-04:00 cmpsvr rsyslogd: [origin software="rsyslogd" swVersion="3.14.2" x-pid="1554" x-info="http
://www.rsyslog.com"] restart
2008-04-27T04:04:13-04:00 uzdomfw pf: 1055. 619145 rule 268/0(match): block in on ng0: (tos 0x0, ttl 50, id 35580, offset
0, flags [none], proto: UDP (17), length: 485) 202.97.238.230.40659 > 76.10.159.40.1026: UDP, length 457
2008-04-27T04:04:13-04:00 uzdomfw pf: 001346 rule 268/0(match): block in on ng0: (tos 0x0, ttl 50, id 10488, offset 0, fl
ags [none], proto: UDP (17), length: 485) 202.97.238.230.40659 > 76.10.159.40.1027: UDP, length 457
2008-04-27T04:04:24-04:00 uzdomfw pf: 10. 532742 rule 268/0(match): block in on ng0: (tos 0x0, ttl 50, id 9191, offset 0,
flags [none], proto: UDP (17), length: 485) 202.97.238.230.40735 > 76.10.159.40.1026: UDP, length 457
2008-04-27T04:04:24-04:00 uzdomfw pf: 001096 rule 268/0(match): block in on ng0: (tos 0x0, ttl 50, id 23751, offset 0, fl
ags [none], proto: UDP (17), length: 485) 202.97.238.230.40735 > 76.10.159.40.1027: UDP, length 457
2008-04-27T04:04:50.780189-04:00 cmpsvr ntpdate[9441]: adjust time server 192.168.0.55 offset 0.148018 sec
2008-04-27T04:05:51-04:00 uzdomfw pf: 87. 171897 rule 268/0(match): block in on ng0: (tos 0x0, ttl 109, id 61513, offset 0
, flags [none], proto: TCP (6), length: 48) 76.10.62.133.2548 > 76.10.159.40.1433: S, cksum 0xd9ad (correct), 762117069:76
2117069(0) win 64240 <mss 1452,nop,nop,sackOK>
2008-04-27T04:16:23-04:00 uzdomfw pf: 631. 992233 rule 268/0(match): block in on ng0: (tos 0x0, ttl 49, id 51694, offset
0, flags [none], proto: UDP (17), length: 486) 221.208.208.97.46577 > 76.10.159.40.1026: UDP, length 458
2008-04-27T04:16:23-04:00 uzdomfw pf: 049128 rule 268/0(match): block in on ng0: (tos 0x0, ttl 49, id 9090, offset 0, fla
gs [none], proto: UDP (17), length: 486) 221.208.208.97.46577 > 76.10.159.40.1026: UDP, length 458
2008-04-27T04:16:23-04:00 uzdomfw pf: 001210 rule 268/0(match): block in on ng0: (tos 0x0, ttl 49, id 52628, offset 0, fl
ags [none], proto: UDP (17), length: 486) 221.208.208.97.46577 > 76.10.159.40.1027: UDP, length 458
2008-04-27T04:18:21-04:00 uzdomfw pf: 117. 412299 rule 268/0(match): block in on ng0: (tos 0x0, ttl 112, id 30035, offset
0, flags [none], proto: TCP (6), length: 48) 76.8.177.186.3645 > 76.10.159.40.1433: S, cksum 0x74bd (correct), 4216527706:
4216527706(0) win 64240 <mss 1452,nop,nop,sackOK>


********************************************************************************************************

Thanks

Ide

Looks fine to me. What could be wrong is the LogLineType in the configuration.
It should look like this in config.php:

Code: Select all

$CFG['Sources']['Source1']['LogLineType'] = "syslog";

Here is the config.php section for our phplogcon

*************************************

$CFG['Sources'][Source1]['ID'] = 'Source1';
$CFG['Sources'][Source1]['Name'] = 'Messages';
$CFG['Sources'][Source1]['SourceType'] = 1;
$CFG['Sources'][Source1]['LogLineType'] = 'syslog';
$CFG['Sources'][Source1]['DiskFile'] = '/var/log/messages';

*******************************************************

Thanks

Ide

Hi ide,

thanks for the samples, those helped me finding the bug within the logstreamlineparsersyslog.class.php.
To fix the issue for you for know, please download the logstreamlineparsersyslog.class.php from here:
http://git.adiscon.com/?p=phplogcon.git ... 058cfb7385

Rename it from "src-classes-logstreamlineparsersyslog.class.php" to "logstreamlineparsersyslog.class.php" and replace it with the one in your classes folder.

Thanks Andre, It is finally sorting against the columns.

And thanks Rainer for this wonderful product.

Ide

Hi Ide,

I am glad to hear that it finally works But the credits go to Andre, he is the lead author of phpLogCon, I am just a contributor ad advisor for this project . In any case, we would like to hear anything you would like to see enhanced/changed. phpLogCon is in its infancy, with a lot of intresting stuff coming out in the next weeks. So please keep yourself subscribed to annoucements. For the time being, the best idea is to use subscribe to the project on freshmeat:

http://freshmeat.net/projects/phplogcon/

Rainer