0

I want to change the log message format which is getting printed in /var/log/messages.

I checked in rsyslog.conf file also ,but i didnt find anything relevant to this. Please help.

SecureTech
  • 207
  • 5
  • 12
  • 1
    Edit the code; it's open-sourced. But beware that there are tools that read the logs, too, and messing with the logs' internal structure will most likely break those tools. You can always write something that you can pipe the log into, to parse it and reprint it to a file in the format you want. – Blair Houghton Oct 09 '15 at 07:01
  • I did man of rsyslog.conf , i found that there is template directive .But can't understand how to use it. – SecureTech Oct 09 '15 at 09:27
  • Dunno how I missed that. After reading the man page through, it's clear it doesn't say exactly. A template name gets mentioned on a line in the .conf file, but the only template mentioned in the default .conf file is the default template. You might just replace that mention with a template of your own; the man page has numerous template examples. Beyond that, you'll need [the real documentation](http://www.rsyslog.com/doc/master/configuration/index.html). – Blair Houghton Oct 20 '15 at 06:11

1 Answers1

0

I think templates are what you're after: http://www.rsyslog.com/doc/v8-stable/configuration/templates.html

Note that these docs apply to version 8. If you don't have it, you might want to get it from rsyslog.com, for example via packages: http://www.rsyslog.com/downloads/download-other/

With your template defined, you can use it to write to files, like

action(
  type="omfile"
  file="/var/log/messages"
  template="your-template"
)

More details about action directives can be found here: http://www.rsyslog.com/doc/v8-stable/configuration/actions.html

And about the file output in particular: http://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html

Radu Gheorghe
  • 564
  • 4
  • 8
  • Yes, i'm after http://www.rsyslog.com/doc/v8-stable/configuration/templates.html. But , i want to set custom message in template. i.e $template sampletemplate,",|%syslogpriority%,host_ip=$ip,|%syslogfacility% |,timestamp=%timegenerated%,host_name=%HOSTNAME%,%syslogtag%,%msg%,user=?,source=? \n .So ,i want to replcae ? mark with custom information coming from application/script. – SecureTech Oct 22 '15 at 06:59
  • If you want to send custom stuff from your app and use that in your template, I suggest you send JSON and parse that. Here's a complete howto: http://blog.sematext.com/2013/05/28/structured-logging-with-rsyslog-and-elasticsearch/ Though by now you have packages for mmjsonparse as well, so it should be more straightforward. – Radu Gheorghe Oct 26 '15 at 11:01