[rsyslog-notify] Forum Thread: How to use rsyslog to ship non-syslog log files remotely? - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Fri Aug 26 20:33:37 CEST 2016 

User: ZillaG 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26913#p26913

Message: 
----------
I've been following
[url:1pqcfq9q]https://techpunch.co.uk/development/how-to-ship-logs-with-rsyslog-and-logstash[/url:1pqcfq9q]
to try to ship my applications' log files to a remote server, via rsyslog.
>From that page, here are the steps I've taken. Note that firewall and
SELinux are off on both client (VM sending logs) and server (VM receiving
logs).

I've configured my /etc/rsyslog.conf file like so:

[code:1pqcfq9q]# Load the imfile module
module(load="imfile" PollingInterval="10")

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Debugging
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2

# General configuration
$RepeatedMsgReduction off

$WorkDirectory /var/spool/rsyslog

$ActionQueueFileName mainqueue
$ActionQueueMaxDiskSpace 500M
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

# Template for non json logs, just sends the message wholesale with extra
# # furniture. 
template(name="textLogTemplate"
  type="list") {
  constant(value="{ ")
  constant(value="\"type\":\"")
  property(name="programname")
  constant(value="\", ")
  constant(value="\"host\":\"")
  property(name="%HOSTNAME%")
  constant(value="\", ")
  constant(value="\"timestamp\":\"")
  property(name="timestamp" dateFormat="rfc3339")
  constant(value="\", ")
  constant(value="\"@version\":\"1\", ")
  constant(value="\"role\":\"app-server\", ")
  constant(value="\"sourcefile\":\"")
  property(name="$!metadata!filename")
  constant(value="\", ")
  constant(value="\"message\":\"")
  property(name="rawmsg" format="json")
  constant(value="\"}\n")
}[/code:1pqcfq9q]

Then i have /etc/rsyslog.d/01-trm-error-logs.conf

[code:1pqcfq9q]
input(type="imfile"
    File="/usr/share/tomcat/dist/logs/trm-error.log"
    Tag="trm-error-logs:"
    readMode="2"
    escapeLF="on"
)

if $programname == 'trm-error-logs:' then {
    action(
        type="omfwd"
        Target="my.remoteserver.com"
        Port="514"
        Protocol="tcp"
        template="textLogTemplate"
    )
    stop
}
[/code:1pqcfq9q]

However, I don't see logs being shipped out. I do see the contents of
/usr/share/tomcat/dist/logs/trm-error.log in /var/log/messages, though I do
NOT want them to appear there. I do see the contents of
/usr/share/tomcat/dist/logs/trm-error.log being read per the contents of
the /var/log/rsyslog-debug.log file I generate.

I do run the following on the client machine, and see nothing.

[code:1pqcfq9q]tcpdump -i eth0 -n host my.remoteserver.com -P out
-vvv[/code:1pqcfq9q]

Can someone please help me on what I'm missing? Thanks.

More information about the rsyslog-notify mailing list