Tag rsyslog messages


Any ideas how I can tag the rsyslog messages sent to the remote server? Cumulus recommends not to use "imfile" module for the logs genrated by rsyslog. So I am not sure if there is any other module that supports this.

Swetha

2 replies

Userlevel 3
You can always tag it on the remote server, based on the same tags that we use in the control files in /etc/rsyslog.d/* ; that's almost certainly the easiest way.

It's also possible to use linux tools to filter before sending the logs remote. I'm traveling at the moment, so I don't have references for that.

If you google, you'll find that just about everybody will tell you not to use imfile or input() to re-process logfiles that are already being written by rsyslogd, because it means the same messages will recursively get processed multiple times.
Thanks Dave. I attempted the following and this works well so far.
cat /etc/rsyslog.d/11-remote.conf

template(name="TEMPLATE" type="string" string="<%PRI%>%TIMESTAMP% %HOSTNAME% cumulus_%programname%%msg:::sp-if-no-1st-sp%%msg%")
action(type="omfwd" Target="10.30.32.68" Device="mgmt" Port="514" Protocol="udp" Template="TEMPLATE")

Based on cumulus_ I was able to create files in my logserver.

Reply