[rsyslog-notify] Forum Thread: RainerScript filters and output channels - (Mode 'edit_topic')
noreply at adiscon.com
noreply at adiscon.com
Sat Sep 13 01:15:50 CEST 2014
User: balar
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24919#p24919
Message:
----------
I am using the rsyslog output channel feature which allows for rotation of
log files based on a certain size.
Each message contains a specific field of a certain pattern eg. [ag_xxxx],
and the message is written to local2 facility. My requirement is that if
the message contains [ag_xxxx], the output should go to
/var/log/app_logs/xxxx.log, if the message contains [ag_yyyy], the output
shoud go to /var/log/app_logs/yyyy.log. These files should be logrotated.
I have the following output channels: in my /etc/rsyslog.d/xx-syslog.conf
file. Each channel should get recycled afer 10M with a retention of 10
files. The python script /usr/local/bin/logrot.py does just that.
$outchannel xxxx,/var/log/app_logs/xxxx.log,
10000000,/usr/local/bin/logrot.py /var/log/app_logs/xxxx.log 10
$outchannel yyyy,/var/log/app_logs/yyyy.log,
10000000,/usr/local/bin/logrot.py /var/log/app_logs/yyyy.log 10
And the following RainerScript filters:
if $syslogfacility-text == "local2" and $msg contains "[ag_xxxx]" then
:omfile:$xxxx
if $syslogfacility-text == "local2" and $msg contains "[ag_yyyy]" then
:omfile:$yyyy
With this setting, the logs do not end up in /var/log/app_logs/xxxx or
/var/log/app_logs/yyyy. Insead, all the logs end up in /var/log/syslog. I
have tried replacing double quotes (") with single quotes (') and the
syslog property to $syslogfacility instead of $syslogfacility-text. this
also did not work. For example:
if $syslogfacility == 18 and $msg contains '[ag_xxxx]' then :omfile:$xxxx
if $syslogfacility == 18 and $msg contains '[ag_yyyy]' then :omfile:$yyyy
However, if I use property filters where I just check for message cotents
each message goes to its appropriate file, and also gets rotated after the
size is reached.
:msg, contains, "[ag_xxxx]" :omfile:$xxxx
:msg, contains, "[ag_yyyy]" :omfile:$yyyy
One more point:
I could have used traditional selectors with facilites such as local1,
local2 etc. and specify conditions such as:
local1.* :omfile:$xxxx
local2.* :omfile:$yyyy
...
However, I do not want to use these facilities since xxxx, yyyy are
application components, and I could have more than local0 - local7 (eight)
components which generate logs.
Can any one explain why the RainerScript filters do not work with output
channls?
The other choice I have is to not use output channels at all, send the
output directly to files, and instead use the logroate program which runs
off cron. However, by default, it runs once a day, and for more precise
size based log rotation, it will have to be run for example once a hour. In
that case, the lines would look like:
if $syslogfacility-text == 'local2' and $msg contains '[ag_xxxx]' then
/var/log/app_logs/xxxx.log
if $syslogfacility-text == 'local2' and $msg contains '[ag_yyyy]' then
/var/log/app_logs/yyyy.log
Thanks
Bala
More information about the rsyslog-notify
mailing list