Rsyslog: From a custom log file, Forward only the messages matching a pattern
I want to forward messages matching a pattern (HELLO in this case) from a custom log file (/home/ubuntu/test.log) to a remote rsyslog server.
Here is the configuration:
# cat /etc/rsyslog.d/05-forwarding.conf
*.* @@rsyslogserver.mycompany.com:10514
# cat /etc/rsyslog.d/10-custom.conf
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /home/ubuntu/test.log
$InputFileTag testlogs:
$InputFileStateFile testlogs
$InputRunFileMonitor
:msg, contains, "HELLO" /var/log/testlog_error.log
& stop
:msg, !contains, "HELLO" stop
Problem:
- All messages going to to the
/var/log/sysloghas stopped. << NOT GOOD - Messages containing
HELLOword in/home/ubuntu/test.logare going to/var/log/testlog_error.logas well as are getting forwarded to remote rsyslog server, << GOOD - Messages NOT containing
HELLOword in/home/ubuntu/test.logare not going to/var/log/testlog_error.logwhich is GOOD but these messages are getting forwarded to remote rsyslog server. << BAD
My Ideal situation should be:
- System and all other messages should continue to go to
/var/log/syslog - No Change here. This is working as expected.
- Messages NOT containing
HELLOword in/home/ubuntu/test.logshould completely get discarded. Don't write to local file as well as don't forward such messages to remote server.
Need help me in solving point 1 and point 3 above.
As it is, your file /etc/rsyslog.d/05-forwarding.conf is forwarding all messages passing thought, and not only messages from your custom file /home/ubuntu/test.log. So, you can delete it, as you said you only want to forward messages from your custom file.
Your file /etc/rsyslog.d/10-custom.conf must looks like:
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /home/ubuntu/test.log
$InputFileTag testlogs:
$InputFileStateFile testlogs
$InputFileFacility local0
$InputRunFileMonitor
:syslogtag, isequal, "testlogs:" {
:msg, contains, "HELLO" {
local0.* /var/log/testlog_error.log
local0.* @@rsyslogserver.mycompany.com:10514
}
stop
}
As you can see, I added the following:
$InputFileFacility local0
Now your custom file will be monitored, and it messages will be written in local0 facility. Messages from local0 will have the tag that you associated to it.
:syslogtag, isequal, "testlogs:"
This rule will only match a message that contains the tag testlogs:, that is exactly the messages you want. So, all other messages will skip it, and be logged in /var/log/syslog and everything else from 50-default.conf.
:msg, contains, "HELLO"
Now, all messages from your file that contains HELLO, will be logged in /var/log/testlog_error.log and forwarded to @@rsyslogserver.mycompany.com:10514.
And then, the "stop" will discard all messages from your file that are being written in local0.