1

I'm trying to parse log messages that are received from a udp port and insert them into a MYSQL database. My destination in my syslog-ng.conf file is as follows:

source syslog_udp {
    udp(port(<port num>) flags(no-parse));
};

The parser I have written is as follows:

parser p_logparser{
    csv-parser(columns("<column1>", "<column2>", ...)
    flags(strip-whitespace)
    delimiters(",")
    template("${<column1}\n")
    );
};

I am also using a filter to "discard" a certain part of the log message:

filter log_filter { not (match("<string>") and match("<string>"));};

Ultimately, I want to be able to write the contents of "column1" into a MYSQL database, but for testing purposes I am currently writing to a file:

destination d_file {
            file("<path>/${ISODATE}" template("Testing : ${column1}"));
};
log {
            source(syslog_udp);
            parser(p_logparser);
            filter(log_filter);
            destination(d_file);
};

However, when I open the file that's described in d_file, all I can see is "Testing : " and the contents of column1 aren't actually there. I have a feeling it is because my parser is not creating the soft macros properly. What am I doing wrong?

Improve this question

1 Answer 1

Reset to default
0

You don't need the "template" line in your parser. This option specifies which part of the log message you want to parse with the CSV-parser, and at this point that's probably the default (${MESSAGE}).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.