3

I have a Ruby application on my server, let's call it "alpha". The application emits syslog messages with the program name "alpha". I want to separate my log messages into separate files based on what type of message it is, for instance "auth" messages (logins) or system resource warnings.

I don't have any way of specifying "message type" to syslog other than my program name, so I'm just adding "AUTH:", "SYSTEM:" etc. at the start of my message.

Using Google and man pages, I've come up with these conditions:

:programname,isequal,"alpha"           /var/log/alpha.log

This logs all messages from the "alpha" application to the correct log file.

:msg,startswith," AUTH:"                /var/log/alpha-auth.log

This logs all messages starting with "AUTH:" to the correct log file.

Now obviously, the last condition doesn't just apply to "alpha", but to all messages. I would like to combine these conditions to one that says "all messages from alpha that starts with AUTH: ...". Is it possible to combine filters with "and" like that?

"BSD-style blocks" seem perfect, as I can define a block for my application and all conditions apply only to messages from that application. Unfortunately, according to the docs the feature is no longer supported (deprecated?), and I don't want to rely on a deprecated feature. Does rsyslog v7+ introduce an alternative to such blocks?

Using an expression-based filter I've managed to get my desired outcome, but I feel like I'm using a bazooka to kill a fly:

if $programname == "alpha" and $msg startswith " AUTH:" then \
    /var/log/alpha-auth.log

What would be the "correct" (i.e. simplest and least error prone) way to do this?

I'm using Debian Jessie, which currently means rsyslog 8.4.2

Hubro
  • 1,138
  • 4
  • 16
  • 35

1 Answers1

6

First, make a config file in /etc/rsyslog.d, such as 01-alpha.conf, to make things organized. This way, your 01-alpha.conf will be read first than 50-default.conf. 50-default.conf has a rule to log everything in /var/log/syslog, so in this example we will be discarding the message after writing it in alpha's logs.

In 01-alpha.conf:

:programname, isequal, "alpha" {
  *.* /var/log/alpha.log
  :msg, startswith, "AUTH:" {
    *.* /var/log/alpha-auth.log
  }
  stop
}

The message only enter in this filter if the program name is alpha, then it will log in /var/log/alpha.log. If it's an auth log, logs it in /var/log/alpha-auth.log. In the end, discard the message so it won't be written elsewhere.

Luiz Guilherme Littig Berger
  • 416
  • 2
  • 4
  • +1 On the first note, I'm already doing that :) I didn't know you could add a block after a comparison filter like that, it looks a bit cleaner than using an expression. – Hubro May 18 '16 at 11:02
  • Yeah, and you can use the else command, too. – Luiz Guilherme Littig Berger May 18 '16 at 18:06
  • I must create file and change right, and restart rsyslog: sudo touch /var/log/alpha.log sudo chmod -c 777 /var/log/alpha.log sudo service rsyslog restart – themadmax Feb 13 '20 at 16:48
  • interesting to note that messages would log into given file, but, will also be recorded in syslog (unles rsyslog is not instructed otherwise) – ljgww Oct 08 '21 at 09:26