MonitorWare Knowledge Base

How about "seq"? I see from your schema (above) that it is an integer, yet you supply a character value. What is seq used for? Can you not simply exclude it?

Rainer

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

actually it is wrong because the seq (%syslogtag%) is the day of the month and the month is not in two digit $MONTH format. Is there a reg exp that I can use or another month format?

Also what happens if we need to log windows or unix logs as well can we have multiple templates based on say the IP address?

Thanks

Do you want to have the month from the timereceived? Than you can use the property replacer to get hold of a substring. Something along the lines of %timereported:5:6:date-mysql% - but check the doc, I've done this out of my head, so it may be wrong.

Together with a filter, you can have multiple templates. However, this should not be necessary as the message is (hopefully;)) correctly parsed and so it doesn't matter where it orginated from (at least in theory...).

Rainer

Here is the original message and the one from the file.


Dec 15 21:12:52 Dec 15 2007 20:06:47: %ASA-4-106023: Deny udp src outside:x.x.x.x/xxx dst inside:x.x.x.x/xxx by access-group "inbound"

(facility, priority, date, time, host, message, seq)
20, 6, '20071217143811', '20071217143811', 'Dec', ' 2007 13:32:41: %ASA-6-302015: Built outbound UDP connection 7820711 for outside:x.x.x.x/xxx (x.x.x.x/xxx) to inside:x.x.x.x/xxx (x.x.x.x/xxx)', '17'

What is seq? Why is it there? What do you intend to do with it?

I have managed to get it working with the database using the following template.

$template cacti,"insert into logs_incoming(host, facility, priority, status, date, time, message) values ('%HOSTNAME%', %syslogfac
ility%, %syslogpriority%, %syslogpriority%, DATE('%timereported:::date-mysql%'), TIME('%timereported:::date-mysql%'), '%msg:::drop-l
ast-lf%')",sql

The only issue I am having now is that the month is being used as the hostname as you can see from the below.

insert into logs_incoming(host, facility, priority, status, date, time, message) values ('Dec', 20, 4, 4, DATE('20071218192230'), TIME('20071218192230'), ' 2007 18:17:25: %ASA-4-106023: Deny udp src outside:x.x.x.x/xxx dst inside:x.x.x.x/xxx by access-group "inbound"')

I need it to pickup the IP address instead of the date field any suggestions?

Thanks for all your help so far.

I have temporarily fixed this issue by using the '%FROMHOST%' instead of '%HOSTNAME%'. This is not the preferable as we will be forwarding this messages through a syslog forward server on the DMZ and I understand that the FROMHOST statement takes the IP address of the forwarding syslog server if there is one?

Yes, that is right, FROMHOST is always the last hop. I tried to look at the message in question. You have posted:

Dec 15 21:12:52 Dec 15 2007 20:06:47: %ASA-4-106023: Deny udp src outside:x.x.x.x/xxx dst inside:x.x.x.x/xxx by access-group "inbound"

Is this actually %RAWMSG%? I am a bit puzzled because the date is in there twice. That looks like a config problem on the device. Plus, it does not indicate its hostname, so it makes some sense that the hostname can not be extracted

Rainer