Problem with Rsyslog with mysql-DB with one CLIENT non RFC-c

This is the place for developers to discuss bugs, new features and everything else about code changes.

Google Ads


Problem with Rsyslog with mysql-DB with one CLIENT non RFC-c

Postby sagsyslog » Fri Dec 30, 2016 8:03 pm

I have install a central rsyslog-Server that log all traffic in a mysql-DB. This we have run since years, but
today we have configure one new client to send the log to this central log-server.
*.* :ommysql:127.0.0.1,Syslog,rsyslogdbadmin,PasswordHere
Description:
http://www.systeen.com/2016/05/08/insta ... -centos-7/
or
http://tecadmin.net/setup-rsyslog-with- ... ganalyzer/

I have seen a lot of errors:
14:10:24 logserver rsyslogd: db error (1054): Unknown column 'invld' in 'field list'

When I activate on mysql the LOG SQL-Statemant i see the problem:
Statemant with error:
insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' lsass[6212]: [lsass] Refresh TGT succeeded', invld, '10.240.175.11', 7, '20161230174334', '20161230174334', 1, 'isinas-2(id2)')
The problem is the field Facility (ONLY NUM!) and the client send invld.
Normal statement:
insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (' Accepted publickey for oan from 10.240.2.1 port 61171 ssh2', 10, 'servera', 6, '20161230175618', '20161230175618', 1, 'sshd[54610]:')

After a lot of FAILURE DB rsyslog don't try insert logs into DB and log only to the filesystem (Workdirectory).

I have activate a local firewall rule to DROP all logmessages that I receive from this new client and already my central logserver have no problem.

My questions are:
1. Why rsyslog don't check the entry FACILITY before the log into DB?
2. Why rsyslog after a lot of failure ENTRY don't try to log into DB?
3. Why rsyslog check if all entry are correct (he known the table exactly) /usr/share/doc/rsyslog-7.4.7/mysql-createDB.sql?
I have test it with the last rsyslog version, too (8.23).
4. Strange that one client could blocking the CENTRAL Logserver?

What I can do to don't have this trouble with a other new client?
Thanks in advance.

If you would like you can answer me in German, too.
We are intersting to buy in the future for emailsupport and/or phone support in German.
sagsyslog
New
 
Posts: 1
Joined: Fri Dec 30, 2016 7:57 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests

cron