开箱即用的rsyslog会将所有内容转储到SystemEvents`Syslog 数据库中的表中(如果您使用提供的默认架构)。我想使用正则表达式将入站消息过滤到单独的数据库表中。
我玩过这个,但我很难找出实现这一点的最佳方法(甚至是一种起作用的方法)。
在我的 rsyslog.conf 中:
$template wireless, \
"insert into RogueAPs \
(ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message) \
VALUES('%timegenerated%', '%timereported%', '%syslogfacility%', '%syslogpriority%', '%fromhost-ip%', '%msg%');", \
stdsql
if $msg contains 'subtype=wireless' then :ommysql:127.0.0.1,Syslog,dbusername,dbpassword;wireless
*.* :ommysql:127.0.0.1,Syslog,dbusername,dbpassword
这是我最近的尝试,但我被卡住了。
(RogueAPs 表只是 rsyslog 附带的默认 SystemEvents 表的克隆)
版本信息:
shell# /usr/local/sbin/rsyslogd -v
rsyslogd 5.5.5, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
See http://www.rsyslog.com for more information.
通过查看本教程,我发现没有什么区别。
但是看一下rsyslog 的模板文档,根据参数的设置,似乎与 mysql 存在差异NO_BACKSLASH_ESCAPES。
来自文档:
sql - format the string suitable for a SQL statement in MySQL format. This will
replace single quotes ("'") and the backslash character by their backslash-escaped
counterpart ("\'" and "\\") inside each field. Please note that in MySQL
configuration, the NO_BACKSLASH_ESCAPES mode must be turned off for this format to
work (this is the default).
stdsql - format the string suitable for a SQL statement that is to be sent to a
standards-compliant sql server. This will replace single quotes ("'") by two single
quotes ("''") inside each field. You must use stdsql together with MySQL if in MySQL
configuration the NO_BACKSLASH_ESCAPES is turned on.