MonitorWare Knowledge Base

I'm running rsyslog-4.1.7 and I'm having problem to get it parsing the "emblem" formatted message properly. The relevant configurations are:
...
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...
$template syslog-ng,"insert into logs(host, facility, priority, level, tag, datetime, program, msg) values ('%hostname%', '%syslogfacility-text%', '%pri%',
'%syslogseverity%', '%syslogtag%', '%timegenerated:::date-mysql%', '%programname% ', '%msg%')", SQL
#$template syslog-ng,"insert into logs(host, facility, priority, level, tag, datetime, program, msg) values ('%hostname%', '%syslogfacility-text%', '%pri-tex
t%', '%syslogseverity-text%', '%syslogtag%', '%timegenerated:::date-mysql%', '%programname%', '%msg%')", SQL
local4.*;local5.* :ommysql:127.0.0.1,syslog,syslogadmin,syslogadmin;syslog-ng
The raw message from TCPDUMP looks like the following:
yslog message: LOCAL5.INFO: May 04 2009 18:08:49: %ASA-6-302013: Built outbound TCP connection 29387851 for PRODEXT:207.16.69.84/20 (207.16.69.84/20) to Internal:10.32.69.89/52087 (10.32.69.89/52087)\n
1010 1... = Facility: LOCAL5 - reserved for local use (21)
.... .110 = Level: INFO - informational (6)
Message: May 04 2009 18:08:49: %ASA-6-302013: Built outbound TCP connection 29387851 for PRODEXT:207.16.69.84/20 (207.16.69.84/20) to Internal:10.32.69.89/52087 (10.32.69.89/52087)\n
When I redirect the logs into a plain text for testing, it appears as:
May 4 18:09:47 alffwdp01 %ASA-6-302016: Teardown UDP connection 29391160 for DMZ:10.32.100.231/55466 to Internal:10.32.1.21/53 duration 0:00:00 bytes 198
The problem I'm having is it doesn't display the proper severity level. If you need more information, please let me know how I can provide them.
Thanks in advance for any help.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I did some testings today. I modified the output template to the following:
$template TroubleShooting,"%syslogseverity-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
local5.* /var/log/messages;TroubleShooting
It produced the following log:
info: May 5 14:24:35 alffwdp01 %ASA-6-302014: Teardown TCP connection 34235373 for QAEXT:207.16.68.35/38546 to Internal:10.32.68.22/9801 duration 0:03:11 bytes 16208 TCP FINs
According to this, rsyslog parsed the severity correctly. I'm using php-syslog-ng as the front end. However I can't imagine it would be the issue, as long as the rsyslog inserts the data properly, I assume. I need check on that.

I did a TCPDUMP for the MySQL traffic and it confirmed rsyslog did parse the values properly.
MySQL Protocol
Packet Length: 303
Packet Number: 0
Command
Command: Query (3)
Statement [truncated]: insert into logs(host, facility, priority, level, tag, datetime, program, msg) values ('alffwdp01', 'local5', 'local5.warn<172>', 'warn', '%ASA-4-106023:', '20090505144721', '%ASA-4-106023', ' Deny tcp src External:1
I guess the problem is in the front end. This is strange. I'm sure this worked before until I changed the log format in Cisco device to "emblem" style.

Do you insist on using php-syslog-ng? Otherwise, you could have a look at http://www.phplogcon.org (online demo at http://demo.phplogcon.org ). I am not bashing at php-syslog-ng and there are probably reasons for preferring it - we just can't support any issues with it (but the php-syslog-ng folks have an active support forum, but are quite tied to syslog-ng, at least they never listened when I talked to them about rsyslog, so my interest is also *very* limited ).

I spend some time today to drill into php-syslog-ng and I found the problem, sort of. It appears to me that what php-syslog-ng, or syslog-ng, refers to as "priority" is actually means "level", according to my reading of the source code. Since I'm not really family with PHP, I might possibly misread it. After I changed to configuration in rsyslog to insert level value into priority field, it started to work.
It also requires another tweak to make rsyslog works with php-syslog-ng. In php-syslog-ng, it expect to see the word "warning" instead of "warn" which is the value rsyslog uses.
Regarding "php-syslog-ng" vs. "phplogcon", I have to say I really likes "php-syslog-ng" better mainly it performs better. I first tried phplogcon to try to avoid the compatibility issues I'm dealing with right now. Unfortunately, it is really slow to display, search, etc. Other than this, php-syslog-ng comes with handy maintenance scripts to allow me easily set up cron jobs to maintain the tables. For now, I guess I will stick with php-syslog-ng.
Thanks for the reply and your excellent work on rsyslog.