[rsyslog-notify] Forum Thread: RainerScript filters and output channels - (Mode 'edit_topic')
noreply at adiscon.com
noreply at adiscon.com
Sat Sep 13 01:09:39 CEST 2014
User: balar
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24919#p24919
Message:
----------
I am using the rsyslog output channel feature which allows for rotation of
log files based on a certain size.
Each message contains a specific field of a certain pattern eg. [ag_xxxx],
and the message is written to local2 facility. My requirement is that if
the message contains [ag_xxxx], the output should go to
/var/log/app_logs/xxxx.log, if the message contains [ag_yyyy], the output
shoud go to /var/log/app_logs/yyyy.log. These files should be logrotated.
I have the following output channels: in my /etc/rsyslog.d/xx-syslog.conf
file. Each channel should get recycled afer 10M with a retention of 10
files. The python script /usr/local/bin/logrot.py does just that.
$outchannel xxxx,/var/log/app_logs/xxxx.log,
10000000,/usr/local/bin/logrot.py /var/log/app_logs/xxxx.log 10
$outchannel yyyy,/var/log/app_logs/yyyy.log,
10000000,/usr/local/bin/logrot.py /var/log/app_logs/yyyy.log 10
And the following RainerScript filters:
if $syslogfacility-text == "local2" and $msg contains "[ag_xxxx]" then
:omfile:$xxxx
if $syslogfacility-text == "local2" and $msg contains "[ag_yyyy]" then
:omfile:$yyyy
With this setting, the logs do not end up in /var/log/app_logs/xxxx or
/var/log/app_logs/yyyy. Insead, all the logs end up in /var/log/syslog. I
have tried replacing double quotes (") with single quotes (') and the
syslog property to $syslogfacility instead of $syslogfacility-text. this
also did not work. For example:
if $syslogfacility == 18 and $msg contains '[ag_xxxx]' then :omfile:$xxxx
if $syslogfacility == 18 and $msg contains '[ag_yyyy]' then :omfile:$yyyy
However, if I use property filters where I just check for message cotents
each message goes to its appropriate file, and also gets rotated after the
size is reached.
:msg, contains, "[ag_xxxx]" :omfile:$xxxx
:msg, contains, "[ag_yyyy]" :omfile:$yyyy
One more point:
I could have used traditional selectors with facilites such as local1,
local2 etc. and specify conditions such as:
local1.* :omfile:$xxxx
local2.* :omfile:$yyyy
...
However, I do not want to use these facilities since xxxx, yyyy are
application components, and I could have more than local0 - local7 (eight)
components which generate logs.
Can any one explain why the RainerScript filters do not work with output
channls?
Thanks
Bala
More information about the rsyslog-notify
mailing list