Posts Tagged ‘rsyslog’

rsyslog: slicing & dicing application log files

Wednesday, December 1st, 2021

Let’s slice log file of an application to store separate log files during each hour and keep them in separate directories accroding to the date.


Example for RTPEngine:

  1. create file /etc/rsyslog.d/10-rtpengine.conf

2. add to it the following settings:

template(
    name="rtpengine-tmpl" type="string"
    string="/var/log/rtpengine/%$NOW%/rtpengine-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
    name="rtpengine-fmt" type="string"
    string="%timegenerated% %HOSTNAME% %syslogtag% %msg:::drop-last-lf%\n"
)

if $app-name == ["rtpengine"] then {
    action(type="omfile" dynaFile="rtpengine-tmpl" template="rtpengine-fmt")
    stop
}

3. restart rsyslog.

4. profit

screenshot of a config file
the result

Example for OpenSIPS:

  1. create /etc/rsyslog.d/20-opensips.conf
  2. add to it:
# :msg, startswith, "ACC:" /var/log/opensips/acc.log
# & stop
#
# :syslogtag, contains, "opensips" /var/log/opensips/opensips.log
# & stop

template(
	name="opensips-tmpl" type="string"
	string="/var/log/opensips/opensips/%$NOW%/opensips-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
        name="opensips-acc-tmpl" type="string"
        string="/var/log/opensips/acc/%$NOW%/acc-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
	name="opensips-fmt" type="string"
	string="%timegenerated% %HOSTNAME% [%procid%] %syslogseverity-text% %msg%\n"
)

if $syslogtag contains "opensips" and $msg contains "ACC:" then {
        action(type="omfile" dynaFile="opensips-acc-tmpl" template="opensips-fmt")
        stop
}

if $syslogtag contains "opensips" then {
	action(type="omfile" dynaFile="opensips-tmpl" template="opensips-fmt")
	stop
}

3. restart rsyslog.

rsyslog: do not collect logs from some application

Tuesday, June 26th, 2018

If there’s no settings in the application itself, you can configure rsyslog not to write apps logs.

CentOS 6.6, rsyslog 5.8.10-10.el6_6:
Asterisk is configured to write logs to remote syslog server (syslog02.core) but still writes not only there but also locally.
To prevent this:
create ‘/etc/rsyslog.d/10-asterisk.conf’ with lines

:syslogtag, contains, "asterisk" @syslog02.core
& stop

Debian 9.4 Stretch, rsyslog 8.24.0-1:
Asterisk is nt configured to write to remote syslog, but also writes everything to local rsyslog.
Create ‘/etc/rsyslog.d/10-asterisk.conf’:

if $programname == "asterisk" then {
stop
}

https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
https://www.rsyslog.com/discarding-unwanted-messages/