Tags:
create new tag
view all tags

Syslog

The following is based around rsyslog but is applicable to syslog in general. The config examples will be using the "legacy" syntax for rsyslog version 5.x but newer versions are backwards compatible with this. Further details can be found in the man pages and online, this following is well documented but it listed here to improve awareness.

Timestamps

ISO8601 should be used whenever possible it provides timezone and sub second precision. To enable this within rsyslog we need to make the following minor change.

vim /etc/rsyslog.conf

  # Use high precision timestamps
  # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  $ActionFileDefaultTemplate RSYSLOG_FileFormat

Using the logger command

When you need to write to a log file please make use of the logger command. This will ensure logs have uniform timestamps and can easily be forwarded to a central syslog server.

When using logger make use of the -t and -p flags to distinguish your program. -t denotes the application tag and -p is facility.severity e.g.

echo This is info | logger -t my_script -p local3.info

echo This is an error | logger -t my_script -p local3.err

Filtering logs

In the above example the log entries would end up in /var/log/messages. For ease of use lets direct these entries to their own file. By default the config in rsyslog sources the files from /etc/rsyslog.d/ that end in .conf. As such we can drop files in here for filtering.

vim /etc/rsyslog.d/my_script.conf

  :programname , isequal , "my_script" /var/log/my_script.log
  & ~

Usage of "& ~" means rsyslog should perform no further filtering. Without this log entries would appear in our custom log and in /var/log/messages

Logging from applications that don't use syslog

If you have an application that writes to it's own log and does not provide an option to write to syslog there are two work arounds that can be used.

Note I have not been able to combine imfile and named pipes, if you find a solution please add the details here. When attempting to use both on CentOS 6.4/ rsyslog 5.8.10 echoing into the named pipe hung until I manually tailed the pipe, rsyslog did not seem to pick this up.

imfile rsyslog module

This is the simplest method, we simply tell rsyslog to watch file and record it's input to syslog. The only downside is that we end up with duplication of logs. Note rsyslog by default checks the file every 10 seconds, this can be configured $InputFilePollInterval if you wish (note: more frequent checking == higher system load).

vim /etc/rsyslog.d/file.conf 

  $ModLoad imfile
  $InputFileName /var/log/crappy.log
  $InputFileTag foo
  $InputFileStateFile stat-foo
  $InputRunFileMonitor
  
  # Our input file already has a timestamp and likely a PID/ proc name
  # the below is a template to only log the message to the host syslog
  # this avoids having two timestamps
  $template drop,"%msg%\n"


  # Lets be clever and filter this too, note we specify the template at the end
  :programname , isequal , "foo" /var/log/not_so_crappy.log;drop
  & ~

remote only

If you don't need syslog logs on the local machine we can just forward them and not store a duplicate locally

:programname , isequal , "foo" @@syslog.host:514;drop

named pipes

This is a more complex example but does not result in log duplication. We can make a named pipe and direct our application to write the log output to it as can be treated like a file.

# Make a named pipe and direct our non syslog application to log here
mkfifo /var/log/crummy.log

# Redirect from the named pipe into logger
tail -f /var/log/crummy.log | logger -t bar

# Filter to desired log file
vim /etc/rsyslog.d/crummy_log.conf

  :programname , isequal , "bar" /var/log/not_so_crummy.log
  & ~

TODO Obviously this introduces another process (tail / logger) that needs to be running so we really should daemonize it.

-- GeorgeBrown - 2013-12-12

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2014-02-12 - PabloFernandez
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback