Seperate PROCID from SYSLOGTAG using $template

Question

Im setting up a centralized rsyslog server using a Raspberry Pi with LogAnalyzer web frontend to view the logs. Everything is setup and working except the parsing of fields into the MySQL database. As you can see in the attached image, the ProcessID column is not being populated, and its instead being stuck onto the end of the contents of the Syslogtag column.

Im looking to separate the syslogtag into the programname and procid fields. To my understanding Im to do this using a template placed in a rsyslog.d/*.conf file.

The most useful tutorial Ive found on the subject is here.

Ive also read and tried to put to use the documentation without success here and here.

Below is the config file I have at rsyslog.d/.conf

### Configuration file for rsyslog-mysql
### Changes are preserved

module (load="ommysql")
*.* action(type="ommysql" server="localhost" db="Syslog" uid="rsyslog" pwd="password")

# database template that separates the process ID from the syslog tag
$template dbFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, processid) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag:R,ERE,1,FIELD:(.+)(\[[0-9]{1,5}\]).*--end%', '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%')",sql

Screencap of Adiscon LogAnalyzer Version 4.1.5 Web Frontend for rsyslog

score 0 · Answer 1 · answered May 09 '20 at 23:48

0

I figured it out. After finding some relevant examples, I noticed my problem was two fold. Firstly, I was not specifying the template before adding it to the action arguments. Secondly, I was not specifying the template name during the action arguments.

My config now looks like this:

### Configuration file for rsyslog-mysql
### Changes are preserved

# database template that separates the process ID from the syslog tag
$template dbFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, processid) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag:R,ERE,1,FIELD:(.+)(\[[0-9]{1,5}\]).*--end%', '%syslogtag:R,ERE,1,BLANK:\[([0-9]{1,5})\]--end%')",sql

module (load="ommysql")
*.* action(type="ommysql" server="localhost" db="Syslog" uid="rsyslog" pwd="password" template="dbFormat")

answered May 09 '20 at 23:48

jsb.tech

1

Works perfectly. Just mind you - that if the PID's are going up (above 9999 ) the {1,5} clause will no longer work. I put {1,10} and it works as a charm for all processes now. – Alex Slaets Jan 15 '22 at 18:44
In a related story, it seems at some point after v8.40.0 SysLogTag changed from being just the tag as specified in logger's `-t` parameter to having the process id appended in square brackets. It does not appear to be logger doing that. I can't find any info on when/where/why that happened. Anyone know? – user9645 Dec 07 '22 at 17:07
Just to follow up - turns out it was a [change in the FreeBSD OS syslog(3)](https://reviews.freebsd.org/rS332100) function that blows up rsyslog. Still trying to figure out how to overcome it... – user9645 Dec 07 '22 at 18:39

Seperate PROCID from SYSLOGTAG using $template

1 Answers1