[lyz]

This one is a little tricky. I've set up a central logging server at my house, and have several machines logging to it. My dd-wrt router is also set to log to it, and the messages are correctly put into my log files, however, they are not correctly exported to the mysql destination. Here's what the config looks like.

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$D
AY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));};

This is working for several machines. So what's the difference with the dd-wrt syslog messages? I think this boils down to the fact that they are null terminated. Here's a couple example packets.


12:26:25.423626 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 147) router.mysite.org.1025 > analyse.mysite.org.syslog: [udp sum ok] UDP, length: 119
0x0000: 4500 0093 0000 4000 4011 af05 c0a8 0501 E.....@.@.......
0x0010: c0a8 0503 0401 0202 007f 8fcf 3c32 393e ............<29>
0x0020: 4d61 7220 3138 2031 313a 3236 3a32 3820 Mar.18.11:26:28.
0x0030: 7070 7470 5b39 3334 5d3a 2061 6e6f 6e20 pptp[934]:.anon.
0x0040: 6c6f 675b 6c6f 6765 6368 6f3a 7070 7470 log[logecho:pptp
0x0050: 5f63 7472 6c2e 633a 3637 385d 3a20 6e6f _ctrl.c:678]:.no
0x0060: 206d 6f72 6520 4563 686f 2052 6570 6c79 .more.Echo.Reply
0x0070: 2f52 6571 7565 7374 2070 6163 6b65 7473 /Request.packets
0x0080: 2077 696c 6c20 6265 2072 6570 6f72 7465 .will.be.reporte
0x0090: 642e 00 d..

Notice that the last byte is a null. Here's a working example from a different host:

12:25:39.521451 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], length: 71) www.mysite.org.syslog > analyse.mysite.org.syslog: [udp sum ok] UDP, length: 43
0x0000: 4500 0047 0000 4000 3f11 b14f c0a8 0403 E..G..@.?..O....
0x0010: c0a8 0503 0202 0202 0033 132b 3c31 3839 .........3.+<189
0x0020: 3e73 656e 646d 6169 6c3a 2073 6d2d 636c >sendmail:.sm-cl
0x0030: 6965 6e74 2073 7461 7274 7570 2073 7563 ient.startup.suc
0x0040: 6365 6564 6564 0a ceeded.

This one ends in a 0a or newline and works just right.

I believe the null is the issue because after looking at the pipe file's contents, messages from route just simply end after the $MSG and don't include the ');' thereby making the command invalid SQL syntax.

I'm aware that this is a busybox issue, but I was hoping there were people here who knew the answer as well.

Cheers

[lyz]

I just updated to Debian 4.0 on my central logging server today. The logs are going through now. The logs from the router have a ?00 after them in php-syslog-ng.
Bottom line is that It seems to work with syslog-ng 2.0.0.