ProcessID empty, PID in Syslogtag

You need additional help with phplogcon, then write into this forum.

Google Ads


ProcessID empty, PID in Syslogtag

Postby Coolinger » Mon Oct 05, 2009 8:46 am

Hi all!

I have one question: As stated in the subject, the ProcessID is empty. But in the Syslogtag, the PID is written after the Process name, for example

cyrus/imaps[2339]:

I am using rsyslog-mysql (Debian Lenny, backports, 4.2.0-1~bpo50+1), and the database also has no field for the PID.

It would be nice to use the statistics, but now every syslogtag with same program but different PID is considered as a separate entry.

Thanks in advance
Coolinger
Coolinger
New
 
Posts: 1
Joined: Mon Oct 05, 2009 8:40 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: ProcessID empty, PID in Syslogtag

Postby basquiat » Tue Oct 27, 2009 5:07 pm

Any news or solutions to this, as I face exactly the same problem?

(Using Debian "Lenny" with PhpLogCon 2.7.2, no PID field for the DB, too.)
basquiat
Avarage
 
Posts: 12
Joined: Tue Oct 27, 2009 5:03 pm

Re: ProcessID empty, PID in Syslogtag

Postby ZBeeblebrox » Wed Dec 30, 2009 12:26 pm

My solution for Debian Lenny with rsyslog 4 from backports.org, phpLogCon 2.6.5 and MySQL backend:

  1. Add a field for PID in your database. I've named it "ProcessID" and used the following properties:
    Code: Select all
    ALTER TABLE `SystemEvents` ADD `ProcessID` SMALLINT( 6 ) UNSIGNED NULL ;

  2. Modify "rsyslog.conf". I've extracted the PID from syslogtag using RegEx and insert it into the new DB-field "ProcessID":
    Code: Select all
    $template dbFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag:R,ERE,1,FIELD:(.+)(\[[0-9]{1,5}\]).*--end%', '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%')",sql

    $ModLoad ommysql
    *.* :ommysql:localhost,Syslog,rsyslog,<secret>;dbFormat


    For better readability some colors in the Template-line:
    $template dbFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag:R,ERE,1,FIELD:(.+)(\[[0-9]{1,5}\]).*--end%', '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%')",sql

    The blue part is for the extraction of syslogtag without the PID and the red part extracts the PID only.

  3. Modify "<phplogcon-directory>/include/constants_logstream.php". Add the following Line to map our new DB-field to phpLogCon ProcessID-field:
    Code: Select all
    $dbmapping['monitorware'][SYSLOG_PROCESSID] = "ProcessID";

This works fine for me in a native Linux environment. PIDs are always 16 Bit int and fit in the DB. If you need non-int PIDs, you have to change the DB-field to VARCHAR or thomething like this and replace the RegEx in step 2 to match all chars between [ and ].

HTH

PS: Sorry, english isn't my native language. ;)
ZBeeblebrox
New
 
Posts: 1
Joined: Wed Dec 30, 2009 11:47 am

Re: ProcessID empty, PID in Syslogtag

Postby basquiat » Wed Jan 13, 2010 5:22 pm

Hi ZBeeblebrox,

thanks for the hint, although there's some strange thing going on: the dbFormat-regexp seems to truncate the last parts of the syslogtag by one sign ("smtp" vs. "smtpd" and a PID of "259" vs. "2599"). Checking the regexp on http://www.rsyslog.com/user-regex.php delivers correct results. The truncating happens before writing to MySQL, so it's not an "output bug".

Do you have any ideas what could cause this problem?
basquiat
Avarage
 
Posts: 12
Joined: Tue Oct 27, 2009 5:03 pm

Re: ProcessID empty, PID in Syslogtag

Postby basquiat » Wed Jan 13, 2010 6:59 pm

Addendum: Using rsyslog 5.5.1
basquiat
Avarage
 
Posts: 12
Joined: Tue Oct 27, 2009 5:03 pm

Re: ProcessID empty, PID in Syslogtag

Postby LinuxAdm11 » Thu Jul 21, 2011 9:22 pm

I used the template that ZBeeblebrox posted and it is working fine. Thanks!

I am using LogAnalyzer version 3.2.1 and rsyslog 5.8.3

My only issue is that the "Syslogtag" field is not consistent.
For example, if the original entry is "crond[4356]:", then the result would be:
Syslogtag = crond
ProcessID = 4356
But if the original value is "rsyslogd:", then the result is:
Syslogtag = rsyslogd:
ProcessID = <null>
Note the trailing ":" in the 2nd Syslogtag example.
So most of the entries that populate the "Syslogtag" field have no ":" at the end, while other entries do.
This is not really a big deal, but it would be nice if it were consistent.
My suggestion:
Either all the Syslogtag entries should end in a colon or none of them should end in a colon.
I tried tweaking the ERE, but I haven't had any luck so far.

Anyone know of a work around for this?
LinuxAdm11
New
 
Posts: 1
Joined: Mon Jul 18, 2011 4:28 pm

Re: ProcessID empty, PID in Syslogtag

Postby KaiH » Mon Aug 08, 2011 2:11 pm

here is a solution for that
Code: Select all
$template dbFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag:R,ERE,1,FIELD:([a-zA-Z\/]+)(\[[0-9]{1,5}\])*:--end%', '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%')",sql

In fact i had some problems to detect the missing of "[12345]" but now it works.
KaiH
New
 
Posts: 1
Joined: Mon Aug 08, 2011 1:59 pm

Google Ads



Return to Help

Who is online

Users browsing this forum: No registered users and 1 guest

cron