I guess something along this should work. First, make sure you have the line below in your rsyslog conf file, so MySQL output module gets loaded:
$ModLoad ommysql
Then, filter the stuff you want like this:
:msg, contains, "Heroku" :ommysql:dbserver,dbname,dbuser,dbpass;heroku-template
Next you need to create a template for your data, so rsyslog knows what and how to insert to your database. Here is an example template which only records date and message, and is excepting you to have a table with only two columns, date and message.
$template heroku-template, "INSERT INTO herokulog(date,message) VALUES ('%timestamp','%msg')\r\n", SQL
Something like this should work. Note that this was on the top of my head and not tested at all, but you get the idea. Much more detailed information can be found from rsyslog web site, for example the available template parameter values might interest you.
Try this LEGACY rsyslog formatted version:
# Forward apache logs to graylog2 server
$ModLoad imfile # needs to be done just once
$InputFileName /var/log/httpd/access.log
$InputFileTag ApacheAccessLog:
$InputFileStateFile access.log.statefile
$InputFileFacility local4
$InputFileSeverity info
$InputRunFileMonitor
$InputFileName /var/log/httpd/error.log
$InputFileTag ApacheErrorLog:
$InputFileStateFile error.log.statefile
$InputFileFacility local4
$InputFileSeverity error
$InputRunFileMonitor
local4.* @@log.ospreyreach.com:12514
& stop
You can do similar entries for your other log files.
After that, create some extractors on your graylog2 server for the 12514/TCP input.
This will give you some fine grain options for graphs etc.
Best Answer
Have a cronjob executing a query like the following once a day:
Here,
syslogtableis the table in question,timestampfieldis the the DATE/TIME field containing the date of the log entry and deleted will a log entries older than 31 days. Adapt to your local situation (database, table and field names and the desired time to keep log entries).