Trying to convert syslog-ng to rsyslog

Question

I'me trying to get nginx to log direct to piwik. I am having problems getting rsyslog to accecpt some syslog-ng syntax. The rsyslog doc says syslog-ng conf is compatible with it.

source s_nginx_20 { pipe("/var/lib/nginx/access.log" program_override("nginx-access-log")); };
filter f_nginx_20 { match("nginx-access-log" value("PROGRAM")); };
destination d_piwik { program("/path/to/piwik.sh" template("$MSG\n")); };
log { source(s_nginx_20); filter(f_nginx_20); destination(d_piwik); };

The above results in this:

Mar  3 02:05:21 CentOS-65-64-minimal kernel: imklog 5.8.10, log source = /proc/kmsg started.
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="24662" x-info="http://www.rsyslog.com"] start
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd-3000: unknown priority name "log"" [try http://www.rsyslog.com/e/3000 ]
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: the last error occured in /etc/rsyslog.d/nginx.conf, line 1:"source s_nginx_20 { pipe("/var/lib/nginx/access.log" program_override("nginx-access-log")); };"
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: warning: selector line without actions will be discarded
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: the last error occured in /etc/rsyslog.d/nginx.conf, line 4:"filter f_nginx_20 { match("nginx-access-log" value("PROGRAM")); };"
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: warning: selector line without actions will be discarded
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd-3000: unknown priority name "sh"" [try http://www.rsyslog.com/e/3000 ]
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: the last error occured in /etc/rsyslog.d/nginx.conf, line 8:"destination d_piwik { program("/home/fsdownload/piwik.sh" template("$MSG\n")); };"
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: warning: selector line without actions will be discarded
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: the last error occured in /etc/rsyslog.d/nginx.conf, line 10:"log { source(s_nginx_20); filter(f_nginx_20); destination(d_piwik); };"
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: warning: selector line without actions will be discarded
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd: the last error occured in /etc/rsyslog.conf, line 31:"$IncludeConfig /etc/rsyslog.d/*.conf"
Mar  3 02:05:21 CentOS-65-64-minimal rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]

Any help or advise would be appreciated. The config snippet was modified from here: http://syshero.org/post/68174083489/nginx-syslog-ing-without-breaking-the-bank-or-patching

Info about getting piwik to work with nginx is here: https://github.com/piwik/piwik/tree/master/misc/log-analytics

Answer 1

Debian wheezy, rsyslog 5.8.11

nginx.conf and piwik.sh are exactly the same as in piwik documentation (https://github.com/piwik/piwik/tree/master/misc/log-analytics)

Rsyslog config:

/etc/rsyslog.d/piwik.conf

$ModLoad omprog
$ActionOMProgBinary /usr/local/bin/piwik.sh

$template nginxlog,"%msg%\n"   

if $syslogtag contains 'nginx' and $syslogfacility-text == 'local6' then :omprog:;nginxlog
:syslogtag, contains, "nginx" ~

Answer 2

I figure out how to do this under rsyslog shipped with Centos 6. Had to use the legacy format for the text file input module.

$ModLoad imfile # needs to be done just once
# File 1
$InputFileName /var/lib/nginx/access.log
$InputFileTag nginx_log:
$InputFileStateFile /var/lib/rsyslog/nginx_statefile1

$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 5
$InputRunFileMonitor

if $syslogtag contains 'nginx_log' and $syslogfacility-text == 'local7' then ^/path/to/piwik.sh;nginxlog
:syslogtag, contains, "nginx_log" ~