Ubuntu – Rsyslog: From a custom log file, Forward only the messages matching a pattern

rsyslogUbuntu

I want to forward messages matching a pattern (HELLO in this case) from a custom log file (/home/ubuntu/test.log) to a remote rsyslog server.

Here is the configuration:

# cat /etc/rsyslog.d/05-forwarding.conf
*.* @@rsyslogserver.mycompany.com:10514

# cat /etc/rsyslog.d/10-custom.conf
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /home/ubuntu/test.log
$InputFileTag testlogs:
$InputFileStateFile testlogs
$InputRunFileMonitor
:msg, contains, "HELLO" /var/log/testlog_error.log
& stop
:msg, !contains, "HELLO" stop

Problem:

  1. All messages going to to the /var/log/syslog has stopped. << NOT GOOD
  2. Messages containing HELLO word in /home/ubuntu/test.log are going to /var/log/testlog_error.log as well as are getting forwarded to remote rsyslog server, << GOOD
  3. Messages NOT containing HELLO word in /home/ubuntu/test.log are not going to /var/log/testlog_error.log which is GOOD but these messages are getting forwarded to remote rsyslog server. << BAD

My Ideal situation should be:

  1. System and all other messages should continue to go to /var/log/syslog
  2. No Change here. This is working as expected.
  3. Messages NOT containing HELLO word in /home/ubuntu/test.log should completely get discarded. Don't write to local file as well as don't forward such messages to remote server.

Need help me in solving point 1 and point 3 above.

Best Answer

As it is, your file /etc/rsyslog.d/05-forwarding.conf is forwarding all messages passing thought, and not only messages from your custom file /home/ubuntu/test.log. So, you can delete it, as you said you only want to forward messages from your custom file.

Your file /etc/rsyslog.d/10-custom.conf must looks like:

$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /home/ubuntu/test.log
$InputFileTag testlogs:
$InputFileStateFile testlogs
$InputFileFacility local0
$InputRunFileMonitor

:syslogtag, isequal, "testlogs:" {
  :msg, contains, "HELLO" {
    local0.* /var/log/testlog_error.log
    local0.* @@rsyslogserver.mycompany.com:10514
  }
  stop
}

As you can see, I added the following:

$InputFileFacility local0

Now your custom file will be monitored, and it messages will be written in local0 facility. Messages from local0 will have the tag that you associated to it.

:syslogtag, isequal, "testlogs:"

This rule will only match a message that contains the tag testlogs:, that is exactly the messages you want. So, all other messages will skip it, and be logged in /var/log/syslog and everything else from 50-default.conf.

:msg, contains, "HELLO"

Now, all messages from your file that contains HELLO, will be logged in /var/log/testlog_error.log and forwarded to @@rsyslogserver.mycompany.com:10514.

And then, the "stop" will discard all messages from your file that are being written in local0.

Related Topic