2

I have some random files that I would like to collect and forward to my logging server. These are applications that don't really support GELF, so I am trying to forward these files with rsyslog:

# Apache access log
input(type="imfile" File="/var/log/misc/blah.log"
Tag="Apache Access Log"
StateFile="statefile1")


*.* @@log.ospreyreach.com:12514

Some issues/questions:

  1. This forwards all the syslog files. How can I specify only certain specific files to get forwarded?
  2. This does not seem to collect any data from the file I defined. I see regular syslog messages popping up in my graylog server, but not that file.
Goro
  • 654
  • 3
  • 9
  • 18
  • I think you may need to read a primer on syslog. Syslog doesn't send *files*, syslog sends messages with both a `facility` and a `priority` tag associated with the message. `*.*` is not a filename, it's saying forward every message from any facility and with any priority. –  May 03 '14 at 04:47

1 Answers1

1

Try this LEGACY rsyslog formatted version: 

# Forward apache logs to graylog2 server
$ModLoad imfile # needs to be done just once

$InputFileName /var/log/httpd/access.log
$InputFileTag ApacheAccessLog:
$InputFileStateFile access.log.statefile
$InputFileFacility local4
$InputFileSeverity info
$InputRunFileMonitor

$InputFileName /var/log/httpd/error.log
$InputFileTag ApacheErrorLog:
$InputFileStateFile error.log.statefile
$InputFileFacility local4
$InputFileSeverity error
$InputRunFileMonitor

local4.*                        @@log.ospreyreach.com:12514
& stop

You can do similar entries for your other log files.

After that, create some extractors on your graylog2 server for the 12514/TCP input. This will give you some fine grain options for graphs etc.

John
  • 11
  • 2
  • This will also spams messages to syslog. How to no to send /var/log/httpd/error.log to syslog in this case ? – Khurshid Alam Dec 16 '19 at 12:10
  • @KhurshidAlam I beleive you can add "& stop" after the local4.* line to do that. As long as the above config comes before any other /var/log/syslog line. You can name your config like /etc/rsyslog.d/40-apache.conf to do this also usually as the defaults are in 50-default.conf (in my version anyway) – John Feb 21 '20 at 12:02