Rsyslog – How to Forward Specific Log File to Remote Server

log-filesrsyslog

How can I forward message from a specific log file like /www/myapp/log/test.log with rsyslog client to remote rsyslog server? This log file is outside of the directory /var/log.

Best Answer

Just setup an imfile rule in your /etc/rsyslog.conf

#/etc/rsyslog.conf
$ModLoad imfile
$InputFileName /data/mysql/error.log
$InputFileTag mysql-error
$InputFileStateFile stat-mysql-error
$InputFileSeverity error
$InputFileFacility local3
$InputRunFileMonitor
local3.* @@hostname:<portnumber>

This watches a file and saves to the local3 facility in syslog. Then you can send all data from the local3 facility to your remote server. You may also want to add the following to your rsyslog conf (usually /etc/rsyslog.d/50-default.conf on Ubuntu) to not save the local3 facility to /var/log/syslog:

#/etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none,local1.none,local2.none,local3.none,local4.none,local5.none,local6.none          -/var/log/syslog

Additionally, I would encourage some reading from the following rsyslog docs for more advanced filtering:

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

SELinux will prevent processes that are labeled syslogd_t to write to files that are (probably) labeled default_t. You need to label the file with something syslogd_t can write to. Files in /var/log are mostly labeled var_log_t, a type syslogd_t can surely write to.

You should not just relabel the files in /Testing to var_log_t, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /.

Instead, write a little policy that automatically and consistently labels your files in /Testing. Something to get your started. Your policy file could look similar to this:

/Testing(/.*)?    --    gen_context(system_u:object_r:var_log_t)

SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.

However, I personally feel that logging should really go into /var/log. It's there for a reason. No matter how good you think your reason is for writing to /Testing, it's probably better to write to something like /var/log/testing.

Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t to write to var_log_t, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing as var_log_t if you must...

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

OK, solved it. I changed the config entry in my custom 22-remote.conf file in /etc/rsyslog.d/ from this:

:msg, contains, "AMAZONA-COMPUTERNAME1" /var/log/dbm/server-1.log
& ~
:msg, contains, "AMAZONA-COMPUTERNAME2" /var/log/dbm/server2.log
& ~

To this:

if $fromhost-ip == '10.11.12.12' then /var/log/dbm/server-1.log
& ~
if $fromhost-ip == '10.11.13.13' then /var/log/dbm/server2.log
& ~

Best Answer

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

Related Topic