Rsyslog pass log to script

rsyslogsyslog

I have been trying to pass captured log to a perl script, however I can not seem to find the right way. Do you have any suggestions for correct way of sending captured log to a script for further processing?

I can activate this script with this but, I can't pass the captured message:

$ModLoad omprog
$template MyTemplateName,"some\n"

if $programname == 'arpwatch' and $msg contains 'new station' then {
    action(type="omprog" binary="/tmp/somescript.pl" template="MyTemplateName")
}

Best Answer

Well... turns out it's easier than it looked like. For some reason I could not successfully apply "action", so I went for the old way of doing this. Captured log messaged is sent as argument in default template format if not specified otherwise.

if $programname == 'arpwatch' and $msg contains 'new station' then {
    ^/opt/bin/script.pl
}

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

SELinux will prevent processes that are labeled syslogd_t to write to files that are (probably) labeled default_t. You need to label the file with something syslogd_t can write to. Files in /var/log are mostly labeled var_log_t, a type syslogd_t can surely write to.

You should not just relabel the files in /Testing to var_log_t, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /.

Instead, write a little policy that automatically and consistently labels your files in /Testing. Something to get your started. Your policy file could look similar to this:

/Testing(/.*)?    --    gen_context(system_u:object_r:var_log_t)

SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.

However, I personally feel that logging should really go into /var/log. It's there for a reason. No matter how good you think your reason is for writing to /Testing, it's probably better to write to something like /var/log/testing.

Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t to write to var_log_t, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing as var_log_t if you must...

Linux – Rsyslog stops sending data to remote server after log rotation

The problem was actually coming from logrotate.

Basically with my configuration, running unicorn, I don't need to use the copytruncate directive. (which is what causes problems here)

USR1 - Reopen all logs owned by the worker process. See Unicorn::Util.reopen_logs for what is considered a log. Log files are not reopened until it is done processing the current request, so multiple log lines for one request (as done by Rails) will not be split across multiple logs.

This started working properly after updating to this configuration:

/home/user/my_app/shared/log/*.log {
  daily
  missingok
  dateext
  rotate 30
  compress
  notifempty
  extension gz
  create 640 user user
  sharedscripts

  post-rotate
    # Telling Unicorn to reload files
    test -s /home/user/my_app/shared/pids/unicorn.pid && kill -USR1 "$(cat /home/user/my_app/shared/pids/unicorn.pid)"

    # Reloading rsyslog telling it that files have been rotated
    reload rsyslog 2>&1 || true
  endscript
}

Best Answer

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

Linux – Rsyslog stops sending data to remote server after log rotation

Related Topic