I am trying to export kernel logs (/var/log/messages) to remote Syslog servers using rsyslog.
I am required to export in various standard formats like RFC3339, RFC3164, and RFC5424. Can someone please tell me how to solve this issue? I believe this attribute needs to be used:
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
The format used in your question deprecated. You can still use it, but if you're writing a config from scratch I would recommend using the new "advanced" rsyslog format.
template(name="someName" type="string" string="messageFormat")
RFC3339 message template:
template(name"RFC3339_Format" type="string"
string=""%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n""
)
RFC3164 message template:
template(name="RFC3164_Format" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
)
Note to sysklogd users: sysklogd does not support RFC3164 format, which is the default forwarding template in rsyslog.
RFC5424 message template:
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
)
the format specified in IETF’s internet-draft ietf-syslog-protocol-23, which is very close to the actual syslog standard RFC5424. This format includes several improvements. You may use this format with all relatively recent versions of rsyslog or syslogd.
