How do I configure rsyslog to send logs from a specific program to a remote syslog server?

Solution 1

Rsyslog config files are located in: /etc/rsyslog.d/*.conf

Rsyslog reads the conf files sequentially, so it is important that you name your config file so that the specific config is loaded before anything else happens. So, name your file starting with leading zero's, i.e. 00-my-file.conf. It's better to create a new file so that updates and so on doesn't overwrite your local config.

Example:

if $programname == 'programname' and $msg contains 'a text string' and $syslogseverity <= '6' then /var/log/custom/bind.log

Or if you just want to discard certain entries:

if $programname == 'programname' then ~

In your case: (UDP)

if $programname == 'programname' then @remote.syslog.server
& ~

Or (TCP)

if $programname == 'programname' then @@remote.syslog.server
& ~

The & ~ means to stop processing matching (previous line only!) entries further.

Some more general info:

Also, always make sure filters are on the same line:

# Example: Log mail server control messages to mail-queue.log
if $hostname == 'titus'\
and $programname == 'smtp.queue.'\
and $syslogseverity <= '6' then /var/log/titus/mail-queue.log
& ~

Usefull filters:

$hostname
$programname
$msg
$syslogseverity

Operators:

== (equals)
contains
and
or

More info: http://wiki.rsyslog.com/index.php/Configuration_Samples

Solution 2

We can also try this. It's working fine for me.

$template Incoming-logs,"/var/log/testing_docker/%PROGRAMNAME%.log"
if $programname startswith 'docker' then -?Incoming-logs

NOTE: here testing_docker folder ownership should be given to the syslog user. Follow the below command to set permissions.

chown syslog:syslog testing_docker

Related videos on Youtube