2
<title>Writing syslog Data to MySQL</title>
3
<meta name="KEYWORDS" content="syslog, mysql, syslog to mysql, howto">
6
<h1>Recording the Priority of Syslog Messages</h1>
7
<P><small><i>Written by
8
<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
9
Gerhards</a> (2007-06-18)</i></small></P>
11
<p><i><b>The so-called priority (PRI) is very important in syslog messages,
12
because almost all filtering in syslog.conf is based on it.</b> However, many
13
syslogds (including the Linux stock sysklogd) do not provide a way to record
14
that value. In this article, I'll give a brief overview of how PRI can be
15
written to a log file.</i></p>
17
<p>The PRI value is a combination of so-called severity and facility. The
18
facility indicates where the message originated from (e.g. kernel, mail
19
subsystem) while the severity provides a glimpse of how important the message
20
might be (e.g. error or informational). Be careful with these values: they are
21
in no way consistent across applications (especially severity). However, they
22
still form the basis of most filtering in syslog.conf. For example, the
23
directive (aka "selector line)</p>
25
<code>mail.* /var/log/mail.log</code>
27
<p>means that messages with the mail facility should be stored to
28
/var/log/mail.log, no matter which severity indicator they have (that is telling
29
us the asterisk). If you set up complex conditions, it can be annoying to find
30
out which PRI value a specific syslog message has. Most stock syslogds do not
31
provide any way to record them.</p>
32
<h2>How is it done?</h2>
33
<p>With <a href="http://www.rsyslog.com/">rsyslog</a>, PRI recording is simple.
34
All you need is the correct template. Even if you do not use rsyslog on a regular
35
basis, it might be a handy tool for finding out the priority.</p>
36
<p>Rsyslog provides a flexible system to specify the output formats. It is
37
template-based. A template with the traditional syslog format looks as follows:</p>
39
<code>$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"</code>
41
<p>The part in quotes is the output formats. Things between percent-signs are
42
so-called <a href="property_replacer.html">messages properties</a>. They are replaced with the respective content
43
from the syslog message when output is written. Everything outside of the
44
percent signs is literal text, which is simply written as specified.</p>
45
<p>Thankfully, rsyslog provides message properties for the priority. These are
46
called "PRI", "syslogfacility" and "syslogpriority" (case is important!). They are numerical
47
values. Starting with rsyslog 1.13.4, there is also a property "PRI-text", which
48
contains the priority in friendly text format (e.g. "syslog.info"). For the rest
49
of this article, I assume that you run version 1.13.4 or higher.</p>
50
<p>Recording the priority is now a simple matter of adding the respective field
51
to the template. It now looks like this:</p>
53
<code>$template TraditionalFormatWithPRI,"%PRI-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"</code>
55
<p>Now we have the right template - but how to write it to a file? You probably
56
have a line like this in your syslog.conf:</p>
57
<p align="center"><code>*.* -/var/log/messages.log</code></p>
58
<p>It does not specify a template. Consequently, rsyslog uses the traditional
59
format. In order to use some other format, simply specify the template after the
61
<p align="center"><code>*.* -/var/log/messages.log;TraditionalFormatWithPRI</code></p>
62
<p>That's all you need to do. There is one common pitfall: you need to define
63
the template before you use it in a selector line. Otherwise, you will receive
65
<p>Once you have applied the changes, you need to restart or HUP rsyslogd. It
66
will then pick the new configuration.</p>
67
<h2>What if I do not want rsyslogd to be the standard syslogd?</h2>
68
<p>If you do not want to switch to rsyslog, you can still use it as a setup aid.
69
A little bit of configuration is required.</p>
71
<li>Download, make and install rsyslog</li>
72
<li>copy your syslog.conf over to rsyslog.conf</li>
73
<li>add the template described above to it; select the file that should use
75
<li>stop your regular syslog daemon for the time being</li>
76
<li>run rsyslogd (you may even do this interactively by calling it with the
77
-n additional option from a shell)</li>
78
<li>stop rsyslogd (press ctrl-c when running interactively)</li>
79
<li>restart your regular syslogd</li>
81
<p>That's it - you can now review the priorities.</p>
82
<h2>Some Sample Data</h2>
83
<p>Below is some sample data created with the template specified above. Note the
84
priority recording at the start of each line.</p>
86
<code>kern.info<6>: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 00:04.0<br>
87
kern.info<6>: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 01:00.0<br>
88
kern.warn<4>: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11<br>
89
kern.warn<4>: Jun 15 18:10:38 host kernel: Socket status: 30000006<br>
90
kern.warn<4>: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11<br>
91
kern.warn<4>: Jun 15 18:10:38 host kernel: Socket status: 30000010<br>
92
kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0c00-0x0cff: clean.<br>
93
kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0100-0x04ff: excluding 0x100-0x107 0x378-0x37f 0x4d0-0x4d7<br>
94
kern.info<6>: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0a00-0x0aff: clean.<br>
95
local7.notice<189>: Jun 15 18:17:24 host dd: 1+0 records out<br>
96
local7.notice<189>: Jun 15 18:17:24 host random: Saving random seed: succeeded<br>
97
local7.notice<189>: Jun 15 18:17:25 host portmap: portmap shutdown succeeded<br>
98
local7.notice<189>: Jun 15 18:17:25 host network: Shutting down interface eth1: succeeded<br>
99
local7.notice<189>: Jun 15 18:17:25 host network: Shutting down loopback interface: succeeded<br>
100
local7.notice<189>: Jun 15 18:17:25 host pcmcia: Shutting down PCMCIA services: cardmgr<br>
101
user.notice<13>: Jun 15 18:17:25 host /etc/hotplug/net.agent: NET unregister event not supported<br>
102
local7.notice<189>: Jun 15 18:17:27 host pcmcia: modules.<br>
103
local7.notice<189>: Jun 15 18:17:29 host rc: Stopping pcmcia: succeeded<br>
104
local7.notice<189>: Jun 15 18:17:30 host rc: Starting killall: succeeded<br>
105
syslog.info<46>: Jun 15 18:17:33 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2464"] exiting on signal 15.<br>
106
syslog.info<46>: Jun 18 10:55:47 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2367"][x-configInfo udpReception="Yes" udpPort="514" tcpReception="Yes" tcpPort="1470"] restart<br>
107
user.notice<13>: Jun 18 10:55:50 host rger: test<br>
108
syslog.info<46>: Jun 18 10:55:52 host [origin software="rsyslogd" swVersion="1.13.3" x-pid="2367"] exiting on signal 2.</code></p>
109
<h2>Feedback Requested</h2>
110
<P>I would appreciate feedback on this paper. If you have additional ideas,
111
comments or find bugs, please
112
<a href="mailto:rgerhards@adiscon.com">let me know</a>.</P>
113
<h2>References and Additional Material</h2>
115
<li><a href="http://www.rsyslog.com">www.rsyslog.com</a> - the rsyslog site</li>
117
<h2>Revision History</h2>
120
<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a>
121
* initial version created</li>
124
<p>Copyright (c) 2007
125
<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a>
126
and <a href="http://www.adiscon.com/en/">Adiscon</a>.</p>
127
<p>Permission is granted to copy, distribute and/or modify this document under
128
the terms of the GNU Free Documentation License, Version 1.2 or any later
129
version published by the Free Software Foundation; with no Invariant Sections,
130
no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be
131
viewed at <a href="http://www.gnu.org/copyleft/fdl.html">
132
http://www.gnu.org/copyleft/fdl.html</a>.</p>