I have several different django applications under apache on a Red Hat server. These applications use SysLogHandler for sending log messages to the local rsyslog service. In order to pipe log messages from different django applications to different files, we are using rsyslog tagging (based on syslogtag). Here's what we have in /etc/rsyslog.conf:
...
$template myFormat,"%msg%\n"
if $syslogfacility-text == 'local2' and $syslogtag == 'dev:' then /var/log/ap/dev/ws.log;myFormat
if $syslogfacility-text == 'local2' and $syslogtag == 'rel:' then /var/log/ap/rel/ws.log;myFormat
...
Works this way: if the log message is dev:Hello World!, Hello World! is written to /var/log/ap/dev/ws.log.
Everything worked fine until yesterday. Our system was upgraded from 6.2 to 6.3. According to yum history, rsyslog was updated from 4.6.2-12 to 5.8.10-2 version.
After debugging a bit, I've found that $syslogtag == 'dev:' condition doesn't work on the new rsyslog version. $syslogtag now eats a part of a message till the first space and contains dev:Hello instead of just dev:.
Could you please point me what to do with it and how to make rsyslog parse the tag correctly? (Changing log message format that comes from django applications is not an option)
Let me know if you need any additional info. Thank you.
Best Answer
If the applications have different names you could use the $programname filter.
If not you can use
if $msg contains 'rel: ' then ....I would suggest looking at http://www.rsyslog.com/doc/rsyslog_conf_filter.html