syslog-ng 通过pipe写数据到mysql

一条日志的处理流程大概是这样的,如下

首先是 "日志的来源 source s_name { ... };"

然后是 "过滤规则 filter f_name { ... };"

再然后是 "消息链 log { source(s_name); filter(f_name); destination(d_name) };"
最后是 "目标动作 destination d_name { ... };"

这样以来一条日志就根据你的意思来处理了,需要注意的是一条日志消息过了之后,会匹配定义的所有配置,并不是匹配到以后就不再往下匹配了.

@version:3.2options {   flush_lines (0);   time_reopen (10);   log_fifo_size (2048);   long_hostnames (off);   use_dns (no);   use_fqdn (no);   create_dirs (yes);   keep_hostname (yes);};source s_sys {   file ("/proc/kmsg" program_override("kernel: "));   unix-stream ("/dev/log");   internal();};source  net {   udp(ip(0.0.0.0),port(514));};destination net_log {    file ("/mnt/logdata/net_log/net_log/${YEAR}.${MONTH}.${DAY}/${HOST}.log" );};destination d_mesg {    file("/mnt/logdata/net_log/log/messages"); };filter f_net_hill   {    match("item failed" value(MESSAGE))    or match("Backup to Master" value(MESSAGE))    or match("Master to Backup" value(MESSAGE)); };filter f_iis_msg    {    match("OWA~false" value(MESSAGE));    };filter  f_sys_mail  {    message("正在离开群集");    };destination mysql_net_hill {program("mysql -h10.2.178.20 -usyslog -pSysl0g2017@,./ itcc_zabbix < /opt/pipe/myhill.pipe");pipe("/opt/pipe/myhill.pipe"template("INSERT INTO w_net_hill_logs (host, datetime, msg) VALUES ( '$HOST', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$MSG' );\n")  template-escape(yes) ); };log { source(mail_system);filter(f_iis_msg); destination(mysql_iis); };创建pipe目录mkdir /opt/pipe创建pipe文件mkfifo /opt/pipe/myiis.pipe

pipe 文件参考以上

sql 方式写入，参考：

# MySQL define destination

destination d_mysql {

sql(

type(mysql)

username("syslog")

password("Pass123!")

database("syslog")

host("172.16.1.20")

table("logs")

columns("host","facility","priority","level","tag","datetime","program","msg")

values("$HOST","$FACILITY","$PRIORITY","$LEVEL","$TAG","$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC","$PROGRAM","$MSG")

indexes("datetime","host")

);

};