Solution: rsyslog + loganalyzer cannot display IP addresses and host names simultaneously (original)

Environment:

*********************

Adiscon LogAnalyzer Version 3.4.3

[Root @ cento100 ~] # Cat/etc/issue

CentOS release 5.6 (Final)

*********************

Some people may despise the title. The answer is nothing more than creating a view and creating DBMappings. I am very responsible to tell you, no. Here is how to modify the PHP source code. Let's talk a little bit about it.

Recently, rsyslog + loganalyzer has been used to implement centralized log management. However, after installation, only the host name is displayed and there is no IP address. I have found some articles on the Internet for reference, or I can only display IP addresses, either display only the host name, or both display the view to be added at the same time. When adding the view, I found that there cannot be multiple fields. So I thought about modifying the database. After modifying the database, I found that it was still incorrect.

Adding the first field is normal.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ12451-0.jpg "/>

When I added the second field, I was surprised to find out, FUCK, what is the situation of this mud horse?

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ11245-1.jpg "/>

Why does the first field become an Array? Muma, it's not even useful if it's called the yaja dish. If you add more, overwrite them one by one. Wool?

I was trying to fix this BUG. I also read PHP for a few days and thought it could be done by an old man. The results showed that it was really a huge job. When learning MVC, I didn't learn it well. I directly modified view. php and it seems that it would be aborted. But you cannot give up. The result is that you want to modify its own view and find the following:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ15G5-2.jpg "/>

 

Black, black. If it is black, it means no change is allowed. Sister's, I can't understand the source code of view. php. Will the difficulty be the same as the tragedy? So I found out where to change the page and found that the page is still view. php, found that there is no such view, it itself has included a bunch of php, mud Ma, watch the egg pain, the more it hurts, the more you need to decide. Use grep directly in linux

 
 

  
  
[root@centos100 log]# grep 'Syslog Fields' ./ -r 
  
  
./include/functions_config.php:                                                                 'DisplayName' =>"Syslog Fields", 
 
 

Compile it after finding it

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ135T-3.jpg "/>

Add content in the red box.

After that, I found that this field is still unavailable, because when I clicked to DBMappings, I found that there was no such field at all, and I had to change a file to implement the link.

 
 

  
  
[root@centos100 log]# grep 'MonitorWare' ./ -r 
  
  
./classes/msgparsers/msgparser.eventlog.class.php:      public $_ClassDescription = 'This is a parser for a special format which can be created with Adiscon Eventreporter or MonitorWare Agent.'; 
  
  
./include/constants_logstream.php:$dbmapping['monitorware']['DisplayName'] = "MonitorWare"; 
  
  
./include/functions_config.php:                         $mysource['ObjRef']->DBTableType = "monitorware"; // Convert to MonitorWare! 
  
  
./include/constants_general.php:// --- MonitorWare InfoUnit Defines | Messagetypes 
  
  
./doc/install.html:     MonitorWare Line of products.</P> 
  
  
./doc/install.html:     MonitorWare Line of products.</P> 
  
  
./doc/install.html:LogAnalyzer supports Adiscon's MonitorWare database schema. The schema 
  
  
./doc/manual.html:<a href="http://www.mwagent.com">MonitorWare Agent</a>. 
  
  
./doc/windowsevent.html:<a href="http://www.mwagent.com">MonitorWare Agent</a> software. These Agents are 
  
  
./doc/basics.html:For the database, tabels in either MonitorWare format or the format used by 
  
  
./doc/basics.html:you set up something new, be sure the use MonitorWare schema. If you use 
  
  
./doc/basics.html:that rsyslog uses MonitorWare schema by default, too. So you probably need not to 
  
  
./doc/basics.html:<a href="http://www.msagent.com/">MonitorWare Agent</a> 
  
  
./doc/basics.html:<a href="http://kb.monitorware.com">MonitorWare Knowledge Base</a> to aid you 
 
 

The result is one by one. If the html is not found one by one, I will find the result./include/constants_logstream.php.

It is an array, and a new one is added to the result.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ14017-4.jpg "/>

 

Add the content of row 352.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ139D-5.jpg "/>

The IP address and host name are displayed.

Of course, before doing the above operations, you must insert this field in the database so that it can be displayed.

 
 

  
  
mysql> USE Syslog; 
  
  
mysql> ALTER TABLE SystemEvents ADD FromIP VARCHAR(60) DEFAULT NULL AFTER FromHost; 
 
 

Modify the log configuration file

 
 

  
  
# vi /etc/rsyslog.conf 
  
  
$template insertpl,"insert into SystemEvents (Message, Facility, FromHost, FromIP,Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%,'%HOSTNAME%', '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL 
 
 

After the preceding changes, you must add FromIP to the existing fields.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/1TZ11505-6.png "border =" 0 "alt =" "/>

 

Do not forget to restart the rsyslog service.

 

Note:

Adiscon LogAnalyzer Version 3.6.3 has fixed the BUG where multiple fields cannot be added when adding a view. I am available for new tests.

3.6.3 if you want to display the IP address and host name at the same time, you must modify the IP address and host name differently.

 

 

This article is from the blog, please be sure to keep this source http://gm100861.blog.51cto.com/1930562/1187180