Closed David-yanp closed 3 months ago
TheWitness
commented
2 years ago For SQL based Alerts, the program_id column is not yet initialized. You have to query against the program column. Check out the layout of the syslog_incoming table. For Reports, you can use the program_id as it runs out of the syslog table. So, by then, the program column has been resolved to program_id.
David-yanp
commented
2 years ago Hello,
Thanks for your help.
I try to use the program instead of program_id but some errors still occur.
2022/05/17 21:47:11 - CMDPHP SQL Backtrace: (/plugins/syslog/syslog_process.php[186]:syslog_remove_items(), /plugins/syslog/functions.php[606]:syslog_db_execute(), /plugins/syslog/database.php[69]:db_execute(), /lib/database.php[272]:db_execute_prepared())
2022/05/17 21:47:11 - CMDPHP ERROR: A DB Exec Failed!, Error: Unknown column 'program' in 'where clause'And if the program is too long the SQL will be cut off
This is my setting, Can I use the program for now?
TheWitness
commented
2 years ago Sounds like your syslog incoming table may not be up to date:
+-------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+---------------------+------+-----+---------------------+----------------+
| facility_id | int(10) unsigned | YES | | NULL | |
| priority_id | int(10) unsigned | YES | | NULL | |
| program | varchar(40) | YES | MUL | NULL | |
| logtime | timestamp | NO | | 0000-00-00 00:00:00 | |
| host | varchar(64) | YES | | NULL | |
| message | varchar(1024) | NO | | | |
| seq | bigint(20) unsigned | NO | PRI | NULL | auto_increment |
| status | tinyint(4) | NO | MUL | 0 | |
+-------------+---------------------+------+-----+---------------------+----------------+Hi,
It's a fresh install and I rechecked it, the table syslog_incoming include the program column.
may something be wrong?
mysql> desc syslog_incoming;
+-------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+---------------------+------+-----+---------------------+----------------+
| facility_id | int(10) unsigned | YES | | NULL | |
| priority_id | int(10) unsigned | YES | | NULL | |
| program | varchar(40) | YES | MUL | NULL | |
| logtime | timestamp | NO | | 0000-00-00 00:00:00 | |
| host | varchar(64) | YES | | NULL | |
| message | varchar(2048) | NO | | | |
| seq | bigint(20) unsigned | NO | PRI | NULL | auto_increment |
| status | tinyint(4) | NO | MUL | 0 | |
+-------------+---------------------+------+-----+---------------------+----------------+
8 rows in set (0.01 sec)This should be fixed now. Please test.
Hello,
How can I use the
program_idto filter the removal rule?When I chose the SQL expression and type the
program_id in (1,2,3,4,5,6,8,16,17,23,25,27,29,40,43,52)in, I got some error log as below:I checked the SQL and saw the SQL has the
program_id, but it's too complicated, I'm not good at SQL, someone can tell me how to use it and how can I do it.Any idea will be appreciated.