Format file name with Rsyslog – Valuable Tech Notes

I need to format the name of files that rsyslog will create:

Right now, in /etc/rsyslog.d/51-loggingdriver.conf I have:

$template DockerLogs,"/var/log/docker/%HOSTNAME%_%FROMHOST-IP%_%PROGRAMMENAME%_syslog.log"

But it appears that programmename gives me something like:

gitlab_gitlab.1.2rr19xz43unto19ba1sih7jqg_syslog.log
gitlab_gitlab.1.aw2xvfp77i68i2c87szy5n8g9_syslog.log
gitlab_gitlab.1.ig5hk4j3i5x8i6hi07ebqotln_syslog.log

so it gives me several file for the same app, but I would like just one file.
(the random suffix is due to using Docker Swarm Services)

I would like to have this field equals to: gitlab_gitlab, or even better, just 'gitlab'

Is it posible? How should I do it ? Is there any way to do a substring ???

Best Answer

You can do many things with the property replacer, including taking a substring of fixed size, or more powerfully matching a regular expression. For example,

%programmename:R,ERE,1,FIELD:([^_.]+).*--end%

instead of %PROGRAMMENAME% in your template will stop after the first _ or . character. The R means use a regexp, of extended syntax ERE, keep the first capture group 1, and if no match use the original FIELD value. The regexp pattern has a capture group () which matches any characters but the two mentioned earler [^_.]+. The --end shows the end of the R syntax.

Best Answer

Related Solutions

How to restart rsyslog daemon on ubuntu

What’s causing rsyslog to log $msg**INVALID PROPERTY NAME** instead of the message contents from sonicwall devices

Related Topic

What’s causing rsyslog to log $msgINVALID PROPERTY NAME instead of the message contents from sonicwall devices