Saturday, February 26, 2011

Syslog to MySQL

I had a need to put Syslog data into a database for further analysis.
Using one of my linux boxes this turned out to be much easier than I thought, at least for basic functionality.

Basically I followed the instructions at http://www.rsyslog.com/doc/rsyslog_mysql.html
 and everything just worked.

I already had MySQL installed and Rsyslog was the default syslog on my Linux distribution so I used the included script to create the database, then I created the account.

mysql -u root -p < /usr/share/doc/rsyslog-mysql/createDB.sql

grant all privileges on Syslog.* to 'Syslog'@'%' identified by 'password' with grant option;

Then I modified the rsyslog config file.

#put this line as the first line in /etc/rsyslog.conf
$ModLoad ommysql

#this line logs everything
*.*       :ommysql:127.0.0.1,Syslog,Syslog,password
#*.*       :ommysql:127.0.0.1,db-name,db-user,db-password

Then I restarted the Rsyslog process.
/etc/rc.d/init.d/rsyslogd restart

Then I issued a 'SELECT * FROM Syslog.SystemEvents;'


I saw that the local machine was logging all of its syslog data and the other devices that were logging to the syslog server were also showing up in the database. As a point of interest, all of the data was still being put in the regular syslog file as well.

Future work on this will be to tailor what gets logged and some possible customizations.