how to send only specific files to remote server using rsyslog

Question

I am new to rsyslog. I have multiple servers(rsyslog servers) sending syslog messages to a remote server(syslog-ng server). Right now, I am sending everything to the remote server. I want to filter out and send logs from specific files to the remote server.

10-custom.conf - this is the custom config file which I am using

#Forward specific logs to remote server
module(load="imfile")

input(type="imfile"
      file="/var/log/tomcat8/bar.log"
      Tag="bar:")

input(type="imfile"
      file="/var/log/tomcat8/foo.log"
      Tag="foo:")

input(type="imfile"
      file="/var/log/dpkg.log"
      Tag="dpkg:")

input(type="imfile"
      file="/var/log/syslog"
      Tag="syslog:")

input(type="imfile"
      file="/var/log/auth.log"
      Tag="auth:")

input(type="imfile"
      file="/var/log/kern.log"
      Tag="kern:")


#if $Tag == "catalina:" then @@remoteserver:port
:syslogtag, isequal, "catalina:" @@remoteserver:port
& stop

I am trying to filter out based on Tags and send it to remote server. I couldn't get this working.

What's best way to get this set up?

Thanks in advance!

[Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) — jww, Nov 29 '18 at 09:43

score 1 · Answer 1 · answered Mar 04 '22 at 02:23

The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog’s config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.

module(load="imfile" PollingInterval="10") #needs to be done just once

# File 1
input(type="imfile"
      File="/path/to/file1"
      Tag="tag1"
      Severity="error"
      Facility="local7")

# File 2
input(type="imfile"
      File="/path/to/file2"
      Tag="tag2")

# ... and so on ... #

score 0 · Answer 2 · edited Sep 03 '20 at 09:41

0

You can place statements on top of rsyslog.conf like mentioned in here:

https://www.rsyslog.com/discarding-unwanted-messages/

For instance, assuming you want to send only a specific facility messages to a remote log server, such as all related mail messages regardless of the priority level, add the line below to rsyslog configuration file:

mail.* @192.168.10.254:514

edited Sep 03 '20 at 09:41

user2066657

444
1
4
23

answered Nov 30 '18 at 05:10

HostechSupport

1

how to send only specific files to remote server using rsyslog

2 Answers2