Forwarding structured data with rsyslog

loggingrsyslog

We have a Java application logging structured data (MDC with log4j) via syslog to rsyslog (7.6.3) on localhost. localhost should then forward these log messages to a central logging host (also running rsyslog (7.4.4)) which will format the log messages and distribute them into files.

The problem is that we see the structured data on localhost (by logging %rawmsg% to a file), but there is no structured data in the %rawmsg% as received on the logging server. The forwading is done via UDP.

How can we transfer the structured data as structured data via rsyslog?

Best Answer

The standard template for remote forwarding uses a traditional BSD Syslog format. Try to use the predefined template RSYSLOG_SyslogProtocol23Format to forward in syslog-protocol format with structured data. E.g.:

*.* @logserver;RSYSLOG_SyslogProtocol23Format

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

OK, solved it. I changed the config entry in my custom 22-remote.conf file in /etc/rsyslog.d/ from this:

:msg, contains, "AMAZONA-COMPUTERNAME1" /var/log/dbm/server-1.log
& ~
:msg, contains, "AMAZONA-COMPUTERNAME2" /var/log/dbm/server2.log
& ~

To this:

if $fromhost-ip == '10.11.12.12' then /var/log/dbm/server-1.log
& ~
if $fromhost-ip == '10.11.13.13' then /var/log/dbm/server2.log
& ~

Restarting rsyslog re-sends logs again

The freezing of log transmission aspect of this problem appears to likely be due to a bug in the way rsyslog is configured out of the box with 'buntu: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/940030

I was also able to find an interesting post on expertsexchange: www.expert-sex-change.com/OS/Linux/Administration/Q_27511414.html:

> I recently ran into a problem and was hoping someone could help me figure it out.  I am
> running Ubuntu 10.04 and rsyslog 5.8.1.  I setup rsyslog to monitor a few files and send
> the any changes to those files to Loggly (great service by the way).  Well, it all works
> great, except for the fact that whenever I restart rsyslog it resends everything from those
> files that it had sent in the past.  Now, it is my understanding that rsyslog should use
> the $WorkDirectory and create what file that you set for $InputFileStateFile to save the
> state of the monitored file so that it does not send duplicate entries.
> 
> Here is an example that I'm working with:
> 
> $WorkDirectory /var/log/rsyslog
> 
> # Monit log file
> $InputFileName /var/log/monit.log
> $InputFileTag monit
> $InputFileStateFile monit-state
> $InputFileSeverity info
> $InputRunFileMonitor
> 
> So, from my description above, rsyslog should create a "monit-state" file in 
> "/var/log/rsyslog" which would save the state of the /var/log/monit.log" file so no 
> duplicates are sent.  Is that correct?  If so, this is not happening!
> 
> What should the premission of "/var/log/rsyslog" be?  Do I have to touch "monit-state" in
> "/var/log/rsyslog" (I tried that already and nothing happened)?

With an interesting answer:

> Ok, I found this site (Trouble Shooting Rsyslog) and went through the interactive debugging
> mode using:
> 
> rsyslogd -c5 -dn > logfile
> 1:
> Select all
> Open in new window
> 
> 
> I was able to see that it was in fact a permissions problem.  I opened up permissions to
> 777 for my $WorkDirectory, just to test, and rsyslog did create the state files and
> everything worked as planned.  I will continue to play with the permissions so that it's
> not 777 (obviously), but I wanted to let anyone else that might be having this problem know
> how I solved it.

I have adjusted the permissions on /var/spool/rsyslog to be owned by user "syslog". I've tested for duplicate transmissions after applying this change and it seems to have fixed the problem. If the problem re-emerges or I find out that this didn't fix it, I will return here and update the answer.

SOLUTION:

$ sudo chown syslog /var/spool/rsyslog

Best Answer

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

Restarting rsyslog re-sends logs again

Related Topic