2

I have several different django applications under apache on a Red Hat server. These applications use SysLogHandler for sending log messages to the local rsyslog service. In order to pipe log messages from different django applications to different files, we are using rsyslog tagging (based on syslogtag). Here's what we have in /etc/rsyslog.conf:

...
$template myFormat,"%msg%\n"
if $syslogfacility-text == 'local2' and $syslogtag == 'dev:'  then /var/log/ap/dev/ws.log;myFormat
if $syslogfacility-text == 'local2' and $syslogtag == 'rel:'  then /var/log/ap/rel/ws.log;myFormat
...

Works this way: if the log message is dev:Hello World!, Hello World! is written to /var/log/ap/dev/ws.log.

Everything worked fine until yesterday. Our system was upgraded from 6.2 to 6.3. According to yum history, rsyslog was updated from 4.6.2-12 to 5.8.10-2 version.

After debugging a bit, I've found that $syslogtag == 'dev:' condition doesn't work on the new rsyslog version. $syslogtag now eats a part of a message till the first space and contains dev:Hello instead of just dev:.

Could you please point me what to do with it and how to make rsyslog parse the tag correctly? (Changing log message format that comes from django applications is not an option)

Let me know if you need any additional info. Thank you.

alecxe
  • 81
  • 1
  • 2
  • 16

3 Answers3

2

If the applications have different names you could use the $programname filter.

If not you can use if $msg contains 'rel: ' then ....

I would suggest looking at http://www.rsyslog.com/doc/rsyslog_conf_filter.html

  • Thank you for pointing to use `$programname`, it makes the if condition work and I see log messages in the log file. But, the problem is that the actual log message is truncated by `$syslogtag`. Please see my comment to @Bgs answer. – alecxe Oct 14 '13 at 08:13
  • Hmm maybe it has something to do with your '==' expression. As a quick test I used `:syslogtag, contains, "dev:" /var/log/test` in my rsyslog.conf and tried `logger -t dev: hello world` and it seemed ok. –  Oct 14 '13 at 11:57
  • may be this is a bug in this particular rsyslog version (5.8.10)..could you try the same test but using 5.8.10? Thanks. – alecxe Oct 14 '13 at 12:00
  • I'm using 5.8.10 on CentOS 6.4 `rsyslogd -v rsyslogd 5.8.10`. Could you give me a full event line to test with? –  Oct 14 '13 at 12:22
  • Ok, let's test it on example. Here's [rsyslog.conf](https://gist.github.com/alecxe/ef084db7e91f6e610b74) that I'm using now for testing. When I run `logger -t test:Hello World!` - I see just `World!` in the log file. In other words, `%msg%` contains only `World!`, and `%rsyslogtag%` is equal to `test:Hello`..can you reproduce it? – alecxe Oct 14 '13 at 12:50
  • FYI, adding a space after the tag, like `logger -t test: Hello World!` makes it work..but, as I said, I cannot change the format of messages coming to rsyslog. – alecxe Oct 14 '13 at 12:52
  • Sorry just read the last comment stating you cant edit the tag. I'll try and thing of something else. –  Oct 14 '13 at 12:57
  • Yeah, thanks, this is exactly what the problem is. Well, in theory I can change tags in the applications, but ideally this should be somehow configured or fixed in the rsyslog config (like I've done it in my answer).. – alecxe Oct 14 '13 at 13:04
  • You could look at the property replacer to modify the tag, but if you can edit the tag given I would recommend this as it will likely be the most portable solution. Looking at RFC 3164 it states a space would usually follow, ah the joys of vague standards and implementations. `In that case, a colon and a space character usually follow the TAG. This would be displayed as "TAG: " without the quotes` http://tools.ietf.org/html/rfc3164 –  Oct 14 '13 at 14:24
  • Hm, this means that I have to have a space after the colon and this is actually the correct behavior, right? (it's feature - not a bug :)) – alecxe Oct 14 '13 at 17:28
  • Yes I believe so. My reading of the standard is this is not explicit as they say "usually". However it would appear rsyslog is explicit about this. All my logs feature the space mentioned. –  Oct 14 '13 at 18:25
2

It's been a while I migrated but I believe you should use

$syslogtag startswith 'rel: '

instead of ==

Bgs
  • 208
  • 2
  • 5
  • This makes the if condition work, but log messages are truncated, e.g. if the message sent to rsyslog is `rel:Hello World!`, then the actual log message written to log file contains only `World!`, since `$syslogtag` "eats" a part of the log message and is equal to `dev:Hello` in this case. Don't know why. Thank you anyway. – alecxe Oct 14 '13 at 07:56
  • Have you tried with that additional space character? – Bgs Oct 15 '13 at 19:43
  • Yeah, it works if I add an additional space after the colon. Also, I have to cut this space from the `%msg%` in the template, like `%msg:2:$\n`. – alecxe Oct 15 '13 at 21:57
0

Thanks to other answers for helping to make the if condition work but the problem is that $msg doesn't contain the actual log message sent from an application since $syslogtag "eats" the part of the message until the first space in it.

As a workaround, I can change the log template and concatenate the missing message part from %syslogtag% and the %msg%:

$template myFormat,"%syslogtag:F,58:2%%msg%\n"

It takes the part of %syslogtag% after the colon (58 ascii code) and adds the %msg% after.

Luckily, this works for both 4.6.2-12 and 5.8.10-2 rsyslog versions. But, I don't think this a nice and clean solution, looks more like a hack. Also, I'm not sure this will work for future rsyslog versions.

Hope there will be other answers or comments.

alecxe
  • 81
  • 1
  • 2
  • 16