I'm trying to add a new application log forward to a host which is already setup to send it's logs to a remote syslog server. I'm following the directions here: http://www.rsyslog.com/doc/v7-stable/configuration/modules/imfile.html
The log file is written by an application and doesn't use any of the syslog facilities.
On the sender, I've added these two lines to /etc/rsyslog.conf
:
$ModLoad imfile
$InputFilePollInterval 10
I've added a file in /etc/rsyslog.d/applogger.conf
with the contents below.
input(type="imfile"
File="/var/log/applog"
Tag="applogger"
StateFile="statefile2")
The logs are forwarded to the central logging system OK, but they are also being replicated into /var/log/syslog
and /var/log/messages
on the sending host, cluttering up the logs with lots of extra messages. The link above mentions duplicate entries but this is in regard to unique filenames for the applogs. This is the only file on the system with this name.
I must use rsyslog
for this, so simply replacing it with syslog-ng
is not an option.
How can I forward just the entries in /var/log/applog
without duplicating the entries in the other logs?
Best Answer
Needed to add this line to applogger.conf. Any unique keyword found in the applog message entry will work.