[syslog-ng] Logging only if phrase found
    Sebastian Deißner 
    sebastian at debianfan.de
       
    Wed May 18 18:50:06 CEST 2011
    
    
  
Am 18.05.2011 00:16, schrieb Gergely Nagy:
>
> Yes, it is. You can use filters, somewhat like this:
>
> filter f_connect {
>    message("*connect*" type(glob));
> };
>
> You can use regular expressions in the filter too - just remove the
> type(glob) part then.
>
> And then add filter(f_connect); to your log block:
>
> log {
>   source(src);
>   destination(messages);
>   filter(f_connect);
>   destination(d_mysql);
> };
>
> This will log all messages to the messages destination, but only
> filtered ones to mysql. As far as I understand it, anyway. I usually use
> separate log blocks:
>
> log {
>   source(src);
>   destination(messages);
> };
>
> log {
>   source(src);
>   filter(f_connect);
>   destination(d_mysql);
> };
>
With your code - all messages are in the database.
I only want to have the messages, which have the word "connect" in the 
message.
I tried to do it in this way:
options {
         chain_hostnames(off);
         sync(0);
         stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
# filter f_connect { msg("/connect/" type(glob));};
filter f_connect { match ("/connect/");};
destination d_mysql {
           program("/usr/bin/mysql --user=username --password=myword  
database" template("INSERT INTO logs (host, facility, priority, level, 
tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', 
'$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' 
);\n")
           template-escape(yes)); };
destination messages { file("/var/log/mail.log"); };
log {
         source(src); filter (f_connect); destination(messages); 
destination(d_mysql);
};
    
    
More information about the syslog-ng
mailing list