Rsyslog is a rocket-fast system for log processing. It offers high performance, great security, and a modular design. It has developed quickly and has evolved to be considered as a Swiss Army Knife in the logging field. It has a strong enterprise focus and also scales down to smaller systems. It supports MySQL, PostgreSQL, failover log destinations, syslog/tcp transport, fine-grained output format control, high-precision timestamps, queued operations, and the ability to filter parts of any message.
Shown below is a sample /var/log/messages format in my CentOS 7 system.
# tailf /var/log/messages Nov 21 11:03:22 NVMBD1S12BKPMED06 su: (to oracle) root on none Nov 21 11:03:22 NVMBD1S12BKPMED06 su: (to oracle) root on none Nov 21 11:03:22 NVMBD1S12BKPMED06 su: (to oracle) root on none Nov 21 11:03:23 NVMBD1S12BKPMED06 su: (to oracle) root on none ...
We can modify this format according to our requirement using the rsyslog configuration file /etc/rsyslog.conf. Follow the steps outlined below to customize the log format with rsyslog.
Customizing the log format with rsyslog
1. Adding rsyslog template
Add your template to the arbitrary lines of /etc/rsyslog.conf as shown in the syntax below:
# vi /etc/rsyslog.conf $template [template name], [template pattern]
# vi /etc/rsyslog.conf $template myFormat, "%timegenerated% %hostname% %syslogfacility-text%:%syslogpriority-text% %syslogtag%%msg:::drop-last-lf%\n"
“%xxx%” is the term called the property replacer. The property replacers used by the above template have the following meanings:
- %timegenerated% : timestamp when the message was received
- %hostname% : hostname that sent the message
- %syslogfacility-text% : syslog facility
- %syslogpriority-text% : syslog priority
- %syslogtag% : tag
- %msg% : the message sent to syslog
For more details about the property replacer, refer to http://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html.
2. Bind a custom template to logs
– If binding it to all the logs as default:
# vi /etc/rsyslog.conf $ActionFileDefaultTemplate [your template name]
# vi /etc/rsyslog.conf #### GLOBAL DIRECTIVES #### : snip : $ActionFileDefaultTemplate myFormat
– If binding it only to a specific log pattern:
# vi /etc/rsyslog.conf [filter pattern] [action];[your temlapte name]
# vi /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages;myFormat
3. Restart rsyslog service
Restart the rsyslog server once you are done with all the changes to /etc/rsyslog.conf file.
# service rsyslog restart ### For CentOS/RHEL 6 # systemctl restart rsyslog ### For CentOS/RHEL 7