Per Jessen wrote:
[about sending syslog messages to mysql]
From some quick googling:
# pipe messages to /var/log/mysql.pipe to be processed by mysql source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR $MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); };
log { source(src); destination(d_mysql); };
Tip: Don't insert log records directly, but just send them to a daemon that inserts them. There you can sanitize them, to protect against SQL insertion attacks. Set up a watchdog for database errors, they can happen. Plan for data retention in your syslog database. Without that, searching can get slow for large sites. Then test the performance thoroughly. Once, we did such a set-up for a customer where we had several thousand syslog records per minute. But several thousand inserts per minute can thrash your database, if you're not careful. It is important to know the performance limits of your system and to set up watchdogs that checks for these limits. The log insertion server is bound by the database execution time, thus one doesn't need to pay much attention to code efficiency there -- but there must not be any memory leaks. (I would recommend to use a programming language with automatic memory management.) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany