Rsyslog comes with a limited set of log file formats. These resemble the default format that people (and log analyzers) usually expect. However, for some reason or another, it may be required to change the log format. In this recipe, we define a new format and use it as the default format for all log files.
Config Statements
$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Things to think about
The template and ActionFileDefaultTemplate statements must be made at the top of the configuration file, before any of the files are specified.
How it works
The Template-statement defines the new format. It consist of fields to be written, potential modifications as well as literal text. In the sample config statement, “rawmsg” ist a property that contains the syslog message as it was received by rsyslogd (“received” from any source, for example a remote system or the local log socket). The string “\n” is a line feed (ASCII LF), a constant being added to the string. Usually, log line templates need to end with “\n”, because without that, all log records would be written into a single line. Note that there are many fields and options for these fields that you can specify. The system is very flexible. But getting into the detail of all of that is beyond the scope of this cookbook-style book. Please see the “property replacer” official documentation for more details.
The $ActionFileDefaultTemplate then makes the newly defined template the default for all file actions. This saves you from specifying it with any single action line. But otherwise, it is equivalent to
$template myFormat,"%rawmsg%\n"
# The authpriv file has restricted access.
authpriv.* /var/log/secure;myFormat
# Log all the mail messages in one place.
mail.* /var/log/maillog;myFormat
# Log cron stuff
cron.* /var/log/cron;myFormat
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler;myFormat
# Save boot messages also to boot.log
local7.* /var/log/boot.log;myFormat
Tags: Config Snippets, rsyslog, Some core recipies
And…
“But getting into the detail of all of that is beyond the scope of this cookbook-style book.”
Very funny! Perhaps you have read a cookbook where you need some spices or ingredients, but the author just assumes that everyone knows what is “frimminjamzen” and tells you you need 100g, but you don’t know what this is. A little google and you know that it is anchovies. This situation is not so bad… it is just a translation.
Now imagine that the same author tells you to “arnzarnz” the potatoes and leeks, but only his family uses this word. Now google becomes less useful. maybe you will be lucky and another family uses it, enough that a search engine can help you eventually discover that it means to dice the mixture into 1cm cubes.
The situation is worse, but not hopeless.
Finally, imagine that a software author tells us how to apply a special to a system logger. The author does not tell us how to make the special format template, or where to put it so that the software will find it. He simply tells us we can use one and give it whatever name we like…
It is like the spanish recipes for a love potion… one needs a unicorn horn and a tooth from a chimera, although everything else is easy to find. The recipes NEVER explain where one can FIND a unicorn (yes, yes, we know that you must have a virgin, but then what?) let alone find the “unicorn horn” or where one can find the tooth of a chimera.
In our case, we are missing “see this document or url for more info” or “the filepath to the templates is xxx/xxxx” or “here is an example
There is nothing here explaining:
- where is the default template specified?
- where can one find the format for the template?
PS – the cross reference is for:
http://rsyslog.com/doc/rsyslog_conf_templates.html
This describes the format. I think we can just put them in the main config file, but again, no simple instructions exist.
For example, there is no explanation of the standard debug template output.
I just want to see facility and level displayed on each line. I found the syntax from a ~version 1.7 document, but maybe it will not work.
I think the software is very good, but the documentation is full but unstructured perhaps.
I know it is hard to find time for such cleanup. danke!
Well, how about doing some of that work yourself? I am far from opposing doc contributions. I know the doc is not well, but there is so much to do. The open source way is collaboration, not a single person doing all work ;)