How can I send non-default log files to remote rsyslog server?

linux apache-2.4 ubuntu-14.04 rsyslog redmine
7,651

All you do is create a new conf file in /etc/rsyslog.d/ and then populate it with $Input[...] directives. E.g.

$InputFileName /var/log/apache2/redmine.access.log
$InputFileTag web.apache.access-combined.pro.whatever.yourface:
$InputFileStateFile stat-file1-ApacheAccess
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

Add a block like that for each file you want. In fact you don't technically have to make a new conf, just add to an existing one.

If you're looking for a copy/paste solution though, you may be disappointed. Ultimately, rsyslog isn't that hard to figure out though, so you've got that going for you. Which is nice.

Share:
7,651

Related videos on Youtube

trueCamelType
Author by

trueCamelType

I change stacks every couple of months, so I feel like a mid-level developer for life. I love learning new things, and happened to land in a career field that allows me to try lots of different things regularly. Trumpet player, Lumberjack, Hobbyist.

Updated on September 18, 2022

Comments

  • trueCamelType
    trueCamelType over 1 year

    Yes, I see that you want to mark this as a duplicate, and I appreciate that, but please read to the end.

    I've found this question several places, and the answers are either too vague for a noob to rsyslog to understand...like this

    Waaay too difficult to possibly be an easy to understand way to do what I want to do....like this

    Or very close to what I'm looking for, but not quite....like this

    Anyway, to the specific question.

    Server X = Centralized syslog server, running rsyslog.

    Server Y = A server that runs Redmine

    I have already configured Y to send the default log files to X. I used these instructions, combined with some others.

    X /etc/rsyslog.conf :

    #  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/logs/%fromhost-ip%/syslog.log"

# Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), wil    l be under a separate directory which is formed by the template FILENAME.
*.* ?FILENAME


# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

    As you can see, the logs that are being sent to X are put into a directory named after the IP address they come from.

    Y /etc/rsyslog.d/10-rsyslog.conf

    *.* @192.168.1.X:514

    This all works, and I get everything just fine.

    What I'd like to do is have the redmine.access.log file located at /var/log/apache2/redmine.access.log also sent to the syslog server X

    Like I said, I've read lots about this. I'm just not following it, and I need a more simple example.

    I'd like to keep the log files on X and Y, so piping them straight anywhere, isn't what I want.

    The instructions that I've found that looked the simplest, that I could almost follow were these. The problem with those, is that nothing is really explained, and I'm really wanting to understand how this works.

    I don't care if the redmine.access.log gets thrown in with the syslog stuff (although I'd prefer it didn't), or if it gets written somewhere else all together (obviously on X though).

    If someone could write up what they think I should do, I'll update my question to have my final config that works, so hopefully other noobs can benefit from my silly questions.

    EDIT

    This edit is to explain why this isn't a duplicate.

    This is a duplicate....There I admitted it.

    But I'd really like to see something so simple, to have an actual complete example. So, if this gets marked as duplicate, and removed, that's fine, but I'm going to edit it with a working example at the end anyway.

    • trueCamelType
      trueCamelType over 8 years
      While I agree that these questions are basically the same. I would really like to get a "better" answer for this question. There is no explanation on that answer you linked to as to what's going on. And telling people to read the rsyslog documentation (which isn't what you did) isn't acceptable since SE sites are basically the new documentation. Also, a lot of the documentation assumes you already know a considerable amount about the internal workings of *nix.
    • Wesley
      Wesley over 8 years
      StackExchange is most certainly not "new documentation." That's not only incorrect from SE's own explanation of itself, that's a terrible idea conceptually. StackExchange's point, at least SO/SU/SF, is to answer specific questions for specific problems. My linked Q/A does that. For more information about the why and wherefore, you need to read the documentation. And no, you don't need to know a "considerable amount about the internal working of *nix". SF has a minimum barrier for effort and the expectations you've set for an answer are bordering on that barrier.
    • trueCamelType
      trueCamelType over 8 years
      I worded that terribly. Let me try again. Stack Exchange is definitely not "new documentation", but...since SE is almost always the entire first page of google results for questions related to any SE site, newer programmer, sys admins, and whoever else are more and more frequently bookmarking sites from SE rather than the documentation (because normally the explanations are more clear and to the point). I've seen this discussed on SO Meta before. So, it's not the "new documentation" as I said, and I agree with that. I misspoke (typed).
    • hey
      hey over 8 years
      SE isn't the new documentation. SE's a great place to solve specific "wicked problems" rather than to get handheld. There's some cases (cough upstart) where the best documentation was here, but that's cause the official documentation was crap. ALso, trying to deduplicate questions is an essential part of how we do things. Idally we want a canonical question that answers a problem than a dozen fragmented ones.
  • trueCamelType
    trueCamelType over 8 years
    I appreciate the answer. You linked to a question that you thought was a duplicate, and I was wondering, between the answer you linked to, and your answer, which method would you consider better? Should I actually be adding the $Input[...] to /etc/rsyslog.conf like the dup says, or create a new file in /etc/rsyslog.d? Also, in the dup, I don't really understand what sending something to local3 means. I've seen "explainations" like this but they really don't explain it at all.
  • Wesley
    Wesley over 8 years
    I recommend breaking out configuration files for each major thing that you're sending logs for. Some prefer config files for a full application stack, others for each major service... it's up to you. There's no truly wrong answer. Whatever is repeatable and understandable to your workflow. Just document it, and better yet code it in your configuration management engine of choice (e.g. Puppet, Chef, etc.). =)
  • Wesley
    Wesley over 8 years
    @trueCamelType local3 is a generic syslog facility that has whatever meaning you feel like assigning to it. It's just generic and open to whomever to assign whatever meaning you want in your own log flow: en.wikipedia.org/wiki/Syslog#Facility

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot start Apache, config test fail: "env: apache2ctl: No such file or directory"
Redmine RailsBaseURI
uwsgi running in Docker can't find initializtion file
SH linux: Syntax error: word unexpected
Haproxy not logging with rsyslog
Configuring SELINUX to allow logging to a file that's outside /var/log
Errors mei_me 0000:00:03.0: timer: connect/disconnect timeout. after upgrade to 14.04
NTP - ntpq -c peers showing incorrect stratum for peers
What is the ubuntu 16.04 lts server default login & password?
Error install nginx version 1.6.2 in Ubuntu 14.04