How do I configure rsyslog to send logs from a specific program to a remote syslog server?
Solution 1
Rsyslog config files are located in: /etc/rsyslog.d/*.conf
Rsyslog reads the conf files sequentially, so it is important that you name your config file so that the specific config is loaded before anything else happens. So, name your file starting with leading zero's, i.e. 00-my-file.conf
. It's better to create a new file so that updates and so on doesn't overwrite your local config.
Example:
if $programname == 'programname' and $msg contains 'a text string' and $syslogseverity <= '6' then /var/log/custom/bind.log
Or if you just want to discard certain entries:
if $programname == 'programname' then ~
In your case: (UDP)
if $programname == 'programname' then @remote.syslog.server
& ~
Or (TCP)
if $programname == 'programname' then @@remote.syslog.server
& ~
The & ~
means to stop processing matching (previous line only!) entries further.
Some more general info:
Also, always make sure filters are on the same line:
# Example: Log mail server control messages to mail-queue.log
if $hostname == 'titus'\
and $programname == 'smtp.queue.'\
and $syslogseverity <= '6' then /var/log/titus/mail-queue.log
& ~
Usefull filters:
$hostname
$programname
$msg
$syslogseverity
Operators:
== (equals)
contains
and
or
More info: http://wiki.rsyslog.com/index.php/Configuration_Samples
Solution 2
We can also try this. It's working fine for me.
$template Incoming-logs,"/var/log/testing_docker/%PROGRAMNAME%.log"
if $programname startswith 'docker' then -?Incoming-logs
NOTE: here testing_docker
folder ownership should be given to the syslog user. Follow the below command to set permissions.
chown syslog:syslog testing_docker
Related videos on Youtube
Comments
-
Simmo over 1 year
I have a program which outputs to syslog with a given tag/program name. I'd like to be able to filter syslog traffic from that program and send it to a remote syslog server, leaving all other syslog traffic local.
I can send all traffic to the remote server with
*.* @remote_server
How do I filter it?
-
Simmo over 11 yearsThis answered my question. stackoverflow.com/questions/4042115/ruby-syslog-custom-facility
-
-
Mark Walsh almost 5 yearscan we fix the broken link?
-
codywohlers about 3 yearsthe
$msg
is still written tosyslog
as well as/var/log/custom.log
. How to output only tocustom.log
?