forwarding to and recording on remote using different templa

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


forwarding to and recording on remote using different templa

Postby yxu » Fri May 19, 2017 12:02 pm

I am working on using rsyslog to establish centralised logging.

On client side, I am using one format to forward the log, as shown below (in rsyslog.conf file).
Code: Select all
template (name="LongTagForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")

*.* :omrelp:1.2.3.4:514;LongTagForwardFormat

On server side, I have the following in rsyslog.conf file.
Code: Select all
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

template(name="custom_template" type="string" string="custom logging %msg%")

action(type="omfile" dirCreateMode="0700" dirOwner="logbot" dirGroup="logbot" fileCreateMode="0664" fileOwner="logbot" fileGroup="logbot" template="custom_template")

The first line set the default logging format, the second line creates new custom template, and the last line writes the income file using omfile with the custom template.

However, the logs still appear in RSYSLOG_TraditionalFileFormat instead of the custom one. What am I doing wrong or how do I achieve what I am trying to here? Thanks in advance, any help or thought is much appreciated.

Note: there are reasons that the logs have to be forwarded in that particular template, so changing the format on the client side is only limited to adding more properties such as metadata, if needed.
yxu
New
 
Posts: 2
Joined: Fri May 19, 2017 11:21 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: forwarding to and recording on remote using different te

Postby rgerhards » Fri May 19, 2017 5:09 pm

I assume that you have error message from rsyslog on the central server, because what you describe should work. Make sure that syslog messages are actually recorded (many distros throw them aways). If in doubt, add

syslog.* /var/log/rsyslogd.log

to the TOP of rsyslog.conf (not an include or so).

Then, restart rsyslog and check file contents.

HTH
Rainer
rgerhards
Site Admin
 
Posts: 3798
Joined: Thu Feb 13, 2003 11:57 am

Re: forwarding to and recording on remote using different te

Postby yxu » Fri May 26, 2017 10:27 am

Thanks a lot for the reply Rainer, tried the same configs for the second time and it works like charm now. But still no idea it did not work earlier, I don't think memory caching on the server/remote side can cause this issue though?

Thanks again

rgerhards wrote:I assume that you have error message from rsyslog on the central server, because what you describe should work. Make sure that syslog messages are actually recorded (many distros throw them aways). If in doubt, add

syslog.* /var/log/rsyslogd.log

to the TOP of rsyslog.conf (not an include or so).

Then, restart rsyslog and check file contents.

HTH
Rainer
yxu
New
 
Posts: 2
Joined: Fri May 19, 2017 11:21 am

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron