[rsyslog] Use part of incoming syslog message in an output file name?

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Jan 28 14:05:53 CET 2013



> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Ben Bradley
> Sent: Monday, January 28, 2013 1:39 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Use part of incoming syslog message in an output file
> name?
> 
> On Mon, 28 Jan 2013 11:33:11 +0000
> Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> 
> > $template ApacheAccessLogFile, "/var/log/httpd/%msg:R,ERE,1,BLANK:([a-
> z0-9\-\.]+) [0-9]+$--end%_access.log"
> >
> 
> Amazing! Thanks so much!
> 
> --- start of long story ---
> I have Apache logging to /bin/logger and then have rsyslog generate the per-
> vhost log files and then send the log over the network.
> I was passing the vhost to rsyslog as part of the syslog tag, the bit that usually
> contains the pid.
> The problem I've just encountered is that there's a maximum length for the
> syslog tag of 32 characters so for many vhosts the full vhost wasn't being
> transmitted through /bin/logger, before rsyslog is even involved.
> 
> So with this I am planning to have rsyslog write the physical log files using
> content from the Apache error log message rather than the syslog tag.
> 
> The problem I've now got is Apache error log files. Until we start using
> Apache 2.3.9+ we can't specify the error log format to include the vhost so
> for error logs I am still restricted to sending the vhost through the syslog tag.
> --- end of long story ---
> 
> Actually I've just seen an article that would actually get around my problem...
> http://www.rsyslog.com/sende-messages-with-tags-larger-than-32-
> characters/
> 
> How do I integrate this from that article...
> template (name="LongTagForwardFormat" type="string"
> string="<%PRI%>%TIMESTAMP:::date-rfc3339%
> %HOSTNAME%%syslogtag%%msg:::sp-if-no-1st-sp%%msg%")
That's just new style format. You need to have v7 to use that.
> 
> With this in my current rsyslog.conf...
> $template ApacheAccessLogFile, "/var/log/httpd/%procid%_access.log"
> $template ApacheAccessLogFormat, "%msg:2:$:drop-last-lf%\r\n"
> 
> if $app-name == 'apache-access' and $syslogfacility-text == 'local0' and
> $syslogseverity-text == 'info' then -
> ?ApacheAccessLogFile;ApacheAccessLogFormat
> 

Just use it as usual:
?ApacheAccessLogFile;LongTagForwardFormat

> Then that will hopefully give me enough of an understanding to be able to
> figure these out myself.
> 
> Cheers, Ben
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


More information about the rsyslog mailing list