27

How can I forward message from a specific log file like /www/myapp/log/test.log with rsyslog client to remote rsyslog server? This log file is outside of the directory /var/log.

Rahul
  • 67
  • 1
  • 12
Kevin Campion
  • 427
  • 2
  • 7
  • 15

2 Answers2

45

Just setup an imfile rule in your /etc/rsyslog.conf

#/etc/rsyslog.conf
$ModLoad imfile
$InputFileName /data/mysql/error.log
$InputFileTag mysql-error
$InputFileStateFile stat-mysql-error
$InputFileSeverity error
$InputFileFacility local3
$InputRunFileMonitor
local3.* @@hostname:<portnumber>

This watches a file and saves to the local3 facility in syslog. Then you can send all data from the local3 facility to your remote server. You may also want to add the following to your rsyslog conf (usually /etc/rsyslog.d/50-default.conf on Ubuntu) to not save the local3 facility to /var/log/syslog:

#/etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none,local1.none,local2.none,local3.none,local4.none,local5.none,local6.none          -/var/log/syslog

Additionally, I would encourage some reading from the following rsyslog docs for more advanced filtering:

  1. The Property Replacer
  2. Filter Conditions
Nathan Smith
  • 121
  • 1
  • 1
  • 8
Bryan York
  • 566
  • 5
  • 2
  • This is very helpful, thank you Bryan. My only challenge here is the line to keep the extra logs out of the client-side /var/log/syslog doesn't work for me on Ubuntu 12.04. Probably a PEBKAC, but I wonder if this is a known challenge? – James T Snell Sep 08 '14 at 20:54
  • 1
    Figured it out. My problem was that /etc/rsyslog.d/50-default.conf already had a statement beginning with *.*;auth;authpriv.none.. That line seems to take precedence. So by adding the last line you've given, it has no effect. Instead, the pre-existing similar one must be modified. Very helpful. Thanks! – James T Snell Sep 08 '14 at 21:48
  • what about adding multiple log files? @BryanYork – Akhil Dec 30 '19 at 07:38
1

On ubuntu, I had to also comment out the drop privileges lines in order to get the rsyslog to actually read the log file outside of /var/logs.

#/etc/rsyslog.conf
$ModLoad imfile
$InputFileName /data/mysql/error.log
$InputFileTag mysql-error
$InputFileStateFile stat-mysql-error
$InputFileSeverity error
$InputFileFacility local3
$InputRunFileMonitor
local3.* @@hostname:<portnumber>

# Set the default permissions for all log files.
#
#$FileOwner syslog
#$FileGroup adm
#$FileCreateMode 0640
#$DirCreateMode 0755
#$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup syslog
jozwikjp
  • 131
  • 2