forwarding to and recording on remote using different templa

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads

forwarding to and recording on remote using different templa

Postby yxu » Fri May 19, 2017 12:02 pm

I am working on using rsyslog to establish centralised logging.

On client side, I am using one format to forward the log, as shown below (in rsyslog.conf file).
Code: Select all
template (name="LongTagForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")

*.* :omrelp:;LongTagForwardFormat

On server side, I have the following in rsyslog.conf file.
Code: Select all
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

template(name="custom_template" type="string" string="custom logging %msg%")

action(type="omfile" dirCreateMode="0700" dirOwner="logbot" dirGroup="logbot" fileCreateMode="0664" fileOwner="logbot" fileGroup="logbot" template="custom_template")

The first line set the default logging format, the second line creates new custom template, and the last line writes the income file using omfile with the custom template.

However, the logs still appear in RSYSLOG_TraditionalFileFormat instead of the custom one. What am I doing wrong or how do I achieve what I am trying to here? Thanks in advance, any help or thought is much appreciated.

Note: there are reasons that the logs have to be forwarded in that particular template, so changing the format on the client side is only limited to adding more properties such as metadata, if needed.
Posts: 1
Joined: Fri May 19, 2017 11:21 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: forwarding to and recording on remote using different te

Postby rgerhards » Fri May 19, 2017 5:09 pm

I assume that you have error message from rsyslog on the central server, because what you describe should work. Make sure that syslog messages are actually recorded (many distros throw them aways). If in doubt, add

syslog.* /var/log/rsyslogd.log

to the TOP of rsyslog.conf (not an include or so).

Then, restart rsyslog and check file contents.

Site Admin
Posts: 3792
Joined: Thu Feb 13, 2003 11:57 am

Google Ads

Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests