Rsyslog Debug

At some point you will need to create new rsyslog rules, and you will want to know what the rsyslog properties match to, here's the way to do it.

Create the file /etc/rsyslog.d/enableDebug.conf with the following content:

*.* /var/log/all.log;RSYSLOG_DebugFormat

This file will apply the RSYSLOG_DebugFormat template to all messages arriving at the rsyslog daemon, and write debug info to /var/log/all.log

Next, restart rsyslog daemon and check /var/log/all.log

You will find something like this where you can easily identify all properties:

Debug line with all properties:
FROMHOST: '10.11.1.2', fromhost-ip: '10.11.1.2', HOSTNAME: 'vnu-itp', PRI: 142,
syslogtag 'logger:', programname: 'logger', APP-NAME: 'logger', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Aug 26 13:42:31', STRUCTURED-DATA: '-',
msg: ' 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'
escaped msg: ' 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'
rawmsg: '<142>Aug 26 13:42:31 vnu-itp logger: 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'

After correctly identifying the variables we will use to filter, we can create another .conf file in /etc/rsyslog.d/ with the necessary rules:

if $syslogfacility-test == 'local3' and $programname == 'tag1' then /var/log/tag1.log
& ~

& ~ means: discard this message after applying the filter, so no other rules can process this message.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License