From d7ce7c3154a079281f1f72422b4d80cc0172a122 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 28 Feb 2008 07:14:26 +0000 Subject: updated "mysql paper" to include information for other databases, too --- doc/rsyslog_mysql.html | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) (limited to 'doc') diff --git a/doc/rsyslog_mysql.html b/doc/rsyslog_mysql.html index 0ba6191e..57a779d5 100644 --- a/doc/rsyslog_mysql.html +++ b/doc/rsyslog_mysql.html @@ -1,21 +1,25 @@ Writing syslog Data to MySQL - - + +

Writing syslog messages to MySQL

Written by Rainer -Gerhards (2005-08-02)

+Gerhards (2008-02-28)

Abstract

In this paper, I describe how to write syslog messages to a MySQL database. Having syslog messages in a database is often handy, especially when you intend to set up a front-end for viewing -them. This paper describes an approach with rsyslogd, an +them. This paper describes an approach with rsyslogd, +an alternative enhanced syslog daemon natively supporting MySQL. I describe the components needed to be installed and how to configure -them.

+them. Please note that as of this writing, rsyslog supports a variety +of databases. While this guide is still MySQL-focussed, you +can probably use it together with other ones too. You just need to +modify a few settings.

Background

In many cases, syslog data is simply written to text files. This approach has some advantages, most notably it is very fast and @@ -78,7 +82,12 @@ a basic understanding of how to handle it.

from the rsyslog site. Make sure that you disable stock syslogd, otherwise you will experience -some difficulties.

+some difficulties. On some distributions  (Fedora 8 and above, for +example), rsyslog may already by the default syslogd, in which case you +obviously do not need to do anything specific. For many others, there +are prebuild packages available. If you use either, please make sure +that you have the required database plugins for your database +available. It usually is a separate package and typically not installed by default.

It is important to understand how rsyslogd talks to the database. In rsyslogd, there is the concept of "templates". Basically, a template is a string that includes some replacement characters, which @@ -128,19 +137,20 @@ functionality, MySQL must be enabled in the config file BEFORE the first database table action is used. This is done by placing the

-

$ModLoad MySQL

+

$ModLoad ommysql.so

-

directive at the begining of /etc/rsyslog.conf

+

directive at the begining of /etc/rsyslog.conf. For other databases, use their plugin name (e.g. ompgsql.so).

Next, we need to tell rsyslogd to write data to the database. As we use the default schema, we do NOT need to define a template for this. We can use the hardcoded one (rsyslogd handles the proper template linking). So all we need to do is add a simple selector line to /etc/rsyslog.conf:

-

*.*       ->database-server,database-name,database-userid,database-password

+

*.*       :ommysql:database-server,database-name,database-userid,database-password

-

In many cases, MySQL will run on the local machine. In this +

Again, other databases have other selector names, e.g. ":ompgsql:" +instead of ":ommysql:". See the output plugin's documentation for +details.

In many cases, MySQL will run on the local machine. In this case, you can simply use "127.0.0.1" for database-server. This can be especially advisable, if you do not need to expose MySQL to any process outside of the local machine. In this case, you can simply @@ -162,8 +172,7 @@ such a password is NOT a good idea...). If your MySQL database is on the local machine, your rsyslog.conf line might look like in this sample:

-

*.*       ->127.0.0.1,syslog,syslogwriter,topsecret

+

*.*       :ommysql:127.0.0.1,syslog,syslogwriter,topsecret

Save rsyslog.conf, restart rsyslogd - and you should see syslog messages being stored in the "systemevents" table!

@@ -175,8 +184,7 @@ can apply normal selector-line filtering. If, for example, you are only interested in messages from the mail subsystem, you can use the following selector line:

-

mail.*       ->127.0.0.1,syslog,syslogwriter,topsecret

+

mail.*       :ommysql:127.0.0.1,syslog,syslogwriter,topsecret

Review the rsyslog.conf documentation for details on selector lines and their filtering.

@@ -238,7 +246,8 @@ Gerhards * removed demo site - was torn down because too expensive for usage count
  • 2008-02-21 * Rainer Gerhards * updated reliability section, can now be done with -on-demand disk queues
    • +on-demand disk queues
  • 2008-02-28 * Rainer +Gerhards * added info on other databases, updated syntax to more recent one

    • Copyright

    Copyright (c) 2005-2008 -- cgit