Adding Tag (i.e. Source IP) to rsyslog for sending to rsyslog remote server

rsyslogsyslog

Is there any way to adding a Tag to Logs which sent by rsyslog?
I send these logs to another server, and I can detect source IP as destination, but I need to adding tag in source.

Best Answer

You should be able to match the hostname of the system emitting your log. Isn't that enough?

Rsyslog has an option $PreserveFQDN on, to replace that hostname with your FQDN, which is probably better with syslog concentrators, ...

I suppose on the other end you have some logstash or elasticsearch? Either way, rsyslog also allows you to define templates such as:

template(name="jsonfmt" type="list" option.json="on") {
    constant(value="{")
    constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"@version\":\"1")
    constant(value="\",\"message\":\"") property(name="msg")
    constant(value="\",\"@fields.host\":\"") property(name="hostname")
    constant(value="\",\"@fields.severity\":\"") property(name="syslogseverity-text")
    constant(value="\",\"@fields.facility\":\"") property(name="syslogfacility-text")
    constant(value="\",\"@fields.programname\":\"") property(name="programname")
    constant(value="\",\"@fields.procid\":\"") property(name="procid")
    constant(value="\",\"@fields.mytag\":\"foobarStaticTag\"}\n")
}

local7.* @logstash.example.com:1514;jsonfmt
local7.* action(type="omelasticsearch"
       action.resumeretrycount="-1"
       dynSearchIndex="on"
       bulkmode="on"
       queue.type="linkedlist"
       queue.size="1000000"
       queue.dequeuebatchsize="1000"
       queue.workerthreads="2"
       searchIndex="logidx"
       server="esearchgw.example.com"
       template="jsonfmt")

Note that the sample logstash forwarder assumes your input definition includes codec => json. The foobarStaticTag being whatever Tag you wanted to add.

Related Solutions

How to setup rsyslog to send all logs to multiple remote servers

From Forwarding to More than One Server;

What is important to know, however, is that the full set of directives make up an action. So you can not simply add (just) a second forwarding rule, but need to duplicate the rule configuration as well. Be careful that you use different queue file names for the second action, else you will mess up your system.

So, actually, you have to use 2 different local queues.

Configure a working directory.

$WorkDirectory /var/spool/rsyslog

Configure your forwarding rules (obsolete legacy format).

$ActionQueueType LinkedList
$ActionQueueFileName Forward1
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@server1

$ActionQueueType LinkedList
$ActionQueueFileName Forward2
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@server2

Configure your forwarding rules (new advanced format).

action(type="omfwd" target="server1" resumeRetryCount="-1" 
    queue.type="LinkedList" queue.filename="Forward1" queue.saveOnShutdown="on")

action(type="omfwd" target="server2" resumeRetryCount="-1" 
    queue.type="LinkedList" queue.filename="Forward2" queue.saveOnShutdown="on")

Linux – Rsyslog stops sending data to remote server after log rotation

The problem was actually coming from logrotate.

Basically with my configuration, running unicorn, I don't need to use the copytruncate directive. (which is what causes problems here)

USR1 - Reopen all logs owned by the worker process. See Unicorn::Util.reopen_logs for what is considered a log. Log files are not reopened until it is done processing the current request, so multiple log lines for one request (as done by Rails) will not be split across multiple logs.

This started working properly after updating to this configuration:

/home/user/my_app/shared/log/*.log {
  daily
  missingok
  dateext
  rotate 30
  compress
  notifempty
  extension gz
  create 640 user user
  sharedscripts

  post-rotate
    # Telling Unicorn to reload files
    test -s /home/user/my_app/shared/pids/unicorn.pid && kill -USR1 "$(cat /home/user/my_app/shared/pids/unicorn.pid)"

    # Reloading rsyslog telling it that files have been rotated
    reload rsyslog 2>&1 || true
  endscript
}

Best Answer

Related Solutions

How to setup rsyslog to send all logs to multiple remote servers

Linux – Rsyslog stops sending data to remote server after log rotation

Related Topic