Highlighted
Trusted Contributor.
Trusted Contributor.
86 views

Psql flexagent syslog is not applied. What am I missing?

Hi,

I am stuck in this Syslog Flexagent topic. We want to have postgresql messages send to our Syslog connector, but to tag them as PostgreSQL. The more parsed, the better.

On our devices with a Postgresql database, we have modified the postgresql.conf file to add the tag psql-log (log_line_prefix = 'psql-log: %m ') and send them to our Syslog connector with the module imfile of rsyslog

module(load="imfile" mode="inotify")
input(
type="imfile"
File="/var/opt/rh/rh-postgresql95/lib/pgsql/data/pg_log/postgresql.log"
Tag="psql-log:"
reopenOnTruncate="on"
Severity="notice"
Facility="local4")

local4.notice @<connector_destination>:514

 

Messages appear to our Logger with the name field as "psql-log: YYYY-mm-DD HH:MM:SS.SSS Severity: ...." as example:

psql-log: 2020-06-23 10:25:27.440 CEST LOG: connection received: host=localhost port=47212
 
Using QuickFlex, I downloaded several messages and keep the name values (is it ok, or should be the RAW full message?) and configured a regex and a file named pgsql_syslog.subagent.sdkrfilereader.properties:

#PostgreSQL PostgreSQL Configuration File
replace.defaults=true
trim.tokens=true
comments.start.with=#

#pgsql-errlog: 2020-06-19 16:20:08.640 CEST LOG: connection authorized: user=geodb database=geodb
regex="?psql\\-log:\\s(\\d\\d\\d\\d\\-\\d\\d\\-\\d\\d\\s\\d\\d:\\d\\d:\\d\\d\\.\\d\\d\\d\\s\\S+)\\s(\\w+:\\s(.*))"?

token.count=3

token[0].name=TimeStamp
token[0].type=TimeStamp
token[1].name=Log
token[1].type=String
token[2].name=Msg
token[2].type=String

additionaldata.enabled=true

event.deviceVendor=__stringConstant(PostgreSQL)
event.deviceProduct=__stringConstant(PostgreSQL)
event.deviceReceiptTime=TimeStamp
event.name=Log
event.message=Msg

submessage.messageid.token=TimeStamp
submessage.token=Log
submessage.count=21

#LOG: connection received: host=localhost port=47212
submessage[0].messageid=connection_received
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=(PANIC|FATAL|LOG|ERROR|WARNING|NOTICE|INFO|DEBUG[1-5])?: ([,?\\s?\\w]+)?: host=(\\S+)? port=(\\d+)?
submessage[0].pattern[0].fields=event.deviceSeverity,event.deviceAction,event.destinationHostName,event.destinationPort
submessage[0].pattern[0].types=String,String,String,Integer
submessage[0].pattern[0].mappings=$1|$2|$3|$4

(also defined more submessage cases)

on agent.properties I made the following changes:

agents[0].customsubagentlist=pgsql_syslog|flexagent_syslog|generic_syslog    

agents[0].usecustomsubagentlist=true

Then, I stop the syslog connector, removed the syslog.properties files and started the syslog connector.

I expected to receive the messages but I still see the Unix Vendor/Product applied. On the syslog.properties files, the devices are tagged as

syslog.subagentdef= ...,<device_hostname>\:generic_syslog,...

So they are not triggered as pgsql_syslog/flexagent_syslog messages...

May I am missing a step or asumming i am doing something right but I don't. Can anybody tell me what step is missing? Many thanks

0 Likes
1 Reply
Highlighted
Community Manager Community Manager
Community Manager

Re: Psql flexagent syslog is not applied. What am I missing?

It was recommended from the team to open up a support case. That way the support team can track it and get additional internal resources involved if necessary. This one may need deeper research and investigation if it is a break fix type of issue.

Thank you!

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.