[rsyslog-notify] Forum Thread: omfile with DynFile & %syslogfacility-text% - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Fri Feb 20 11:42:13 CET 2015 

User: AirOnSkin 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25268#p25268

Message: 
----------
Hello,

I'm receiving logs from remote systems via [i:hviiiigj]imrelp[/i:hviiiigj].
These get written to disk with [i:hviiiigj]omfile[/i:hviiiigj]. For
[i:hviiiigj]omfile[/i:hviiiigj], I use [i:hviiiigj]DynFile[/i:hviiiigj] to
have the files and folders created in a sorted manner.
For the actual logs that get written to disk, I'd love to use
[b:hviiiigj]%syslogfacility-text%[/b:hviiiigj]. However, instead of files
like [i:hviiiigj]syslog[/i:hviiiigj], [i:hviiiigj]authpriv[/i:hviiiigj],
[i:hviiiigj]mail[/i:hviiiigj], [i:hviiiigj]cron[/i:hviiiigj], ... all
messages get written to [i:hviiiigj]user[/i:hviiiigj].

[b:hviiiigj]CLIENT CONFIG[/b:hviiiigj]
[code:hviiiigj]
# /etc/rsyslog.conf ~ Rsyslog configuration

# MODULES
module(load="imuxsock")
module(load="imklog")

# QUEUES
main_queue(queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="2048" queue.saveonshutdown="on")

# INCLUDES
$IncludeConfig /etc/rsyslog.d/*.conf
[/code:hviiiigj]
[code:hviiiigj]
# /etc/rsyslog.d/03_log-triage.conf ~ Save logs locally and also
send them to central log server via RELP

# MODULES
module(load="omrelp")

# TEMPLATES
template(name="FileFormat" type="string"
  string="%timegenerated% %hostname%
%syslogfacility-text%.%syslogseverity-text%:
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
)
template(name="ForwardFormat" type="string"
  string="%timegenerated% %hostname%
%syslogfacility-text%.%syslogseverity-text%:
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
)
template(name="DynFile" type="string"
  string="/var/log/%SYSLOGFACILITY-TEXT%"
)

# RULES
*.* action(type="omfile" template="FileFormat" dirCreateMode="0755"
FileCreateMode="0644" dynaFile="DynFile")
*.* action(type="omrelp" template="ForwardFormat"
target="111.22.333.44" port="2514" tls="on"
queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="1024")
[/code:hviiiigj]

[b:hviiiigj]SERVER CONFIG[/b:hviiiigj]
[code:hviiiigj]
# /etc/rsyslog.conf ~ Rsyslog configuration

# MODULES
module(load="imuxsock")
module(load="imklog")

# QUEUES
main_queue(queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="2048" queue.saveonshutdown="on")

# INCLUDES
$IncludeConfig /etc/rsyslog.d/*.conf
[/code:hviiiigj]
[code:hviiiigj]
# /etc/rsyslog.d/03_log-reception.conf ~ Receive all logs via RELP
and write them to disk

# MODULES
module(load="imrelp")
input(type="imrelp" port="2514" tls="on")

# TEMPLATES
template(name="DynFile" type="string"
 
string="/var/local/zhaw/syslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%SYSLOGFACILITY-TEXT%"
)

# RULES
*.* action(type="omfile" dynaFile="DynFile")
[/code:hviiiigj]

With this configuration, the clients write logs to
[i:hviiiigj]/var/log/[/i:hviiiigj] with the syslog-facility names (syslog,
authpriv, mail, cron, ...) and also send them to the central syslog server
via RELP.
The server writes its own logs to the same location as the received logs
from the clients: [i:hviiiigj]/var/local/zhaw/syslog/...[/i:hviiiigj]
This is because there only exists one action [*.* action(type="omfile"
dynaFile="DynFile")] and it applies to both the server's own (local) logs
and the received logs.

There is however a difference! While the syslog server's local logs are
named after their facilities, the log file names of remote hosts (on the
syslog server) only ever have the name [i:hviiiigj]user[/i:hviiiigj].
Does [i:hviiiigj]imrelp[/i:hviiiigj] declare incoming logs as facility
[i:hviiiigj]user[/i:hviiiigj]?

[b:hviiiigj]CLIENT LOGS[/b:hviiiigj] (on syslog server)
[code:hviiiigj]
root at kinkajou: ~/syslog/srv-lab-359/2015/02/20 # ls
total 4.0K
-rw-------. 1 logstash logstash 1.6K Feb 20 11:30 user
root at kinkajou: ~/syslog/srv-lab-359/2015/02/20 # head -n 2 user 
2015-02-20T10:40:54+01:00 srv-lab-359 syslog.info:
rsyslogd: [origin software="rsyslogd" swVersion="8.7.0"
x-pid="4059" x-info="http://www.rsyslog.com"] start
2015-02-20T10:40:54+01:00 srv-lab-359 syslog.info:
rsyslogd: [origin software="rsyslogd" swVersion="8.7.0"
x-pid="4059" x-info="http://www.rsyslog.com"] start
root at kinkajou: ~/syslog/srv-lab-359/2015/02/20 #
[/code:hviiiigj]
[b:hviiiigj]SERVER LOGS[/b:hviiiigj] (on syslog server)
[code:hviiiigj]
root at kinkajou: ~/syslog/srv-app-305/2015/02/20 # ls
total 8.0K
-rw-------. 1 logstash logstash  767 Feb 20 11:30 cron
-rw-------. 1 logstash logstash 2.9K Feb 20 11:35 syslog
root at kinkajou: ~/syslog/srv-app-305/2015/02/20 # head -n 2 syslog 
2015-02-20T10:49:45.863276+01:00 srv-app-305 rsyslogd:
[origin software="rsyslogd" swVersion="8.7.0" x-pid="57520"
x-info="http://www.rsyslog.com"] exiting on signal 15.
2015-02-20T10:49:46.651951+01:00 srv-app-305 rsyslogd:
[origin software="rsyslogd" swVersion="8.7.0" x-pid="57747"
x-info="http://www.rsyslog.com"] start
root at kinkajou: ~/syslog/srv-app-305/2015/02/20 #
[/code:hviiiigj]

Am I doing something wrong? I'd really like the logs from remote machines
to get written to files with their facility as well.

Cheers,
Stefan

More information about the rsyslog-notify mailing list