Extract data from syslog with rsyslog

Question

I'm actually working on Syslog Server in CentOS 7. I would like to create a dynamic file from the user variable on the message part.

So, in my example, if the message part is :

30-Jan-2022 11:50:10 HOSTNAME ... pri=5 confid=01 slotlevel=2 user="A.Smith" domain="lab.test" ...

I want to dynamically create a file (named A.Smith) and put all logs from the user A.Smith in here. And do this for all the others : 400 users.

My rsyslog.conf is currently configured like this :

 $template ChangeFormatLog,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
 
 $templateDynamicFile,"/var/log/syslogclients/$YEAR-$MONTH-$DAY/%HOSTNAME%.log"
 
 *.* ?DynamicFile;ChangeFormatLog

I don't know what to write in the rsyslog.conf to retrieve this data .. or if it's possible (?)

Someone can help me plz ?

Answer 1

What you're trying to achieve is not possible just using rsyslog. This answer is based on the assumption, that you have multiple users on multiple host machines.

1. Create a script which creates a username.log files for each user.

2. Create a script which writes all needed data to username.log file

3. Forward all the username.log files to your syslog server

Answer 2

The problem is that i have arround 20 computers for arround 400 users.

It’s internet station for clients. They can put their ID on a captive portal into Firefox. They share the same account windows.

I just want to create user.log (user = ID put into the captive portal), in my server syslog.

Actually i retrieve my logs like that :

30-Jan-2022 11:50:10 HOSTNAME ... pri=5 confid=01 slotlevel=2 user="A.Smith" domain="lab.test" ..

I guess it’s possible with a script who analyzes the frames .. Dunno how to do this