Wednesday, January 20, 2010

Using rsyslog to log with dynamic file names

I wanted to split logs into /host/year/month/host-yyyy-mm-dd_syslog to avoid having to have a rotate rule for each one. The first thing I tried was syslog-ng, which I found difficult to configure. It also had a memory leak that resulted in logs being lost and the box running out of memory.

Now I'm trialling rsyslogd, which looks quite good. Unfortunately it took much longer to configure than I had hoped. I wanted something fairly simple - the split of logs as above, and local logs going to the regular files to prevent any confusion when others need to use the box. The config I came up with was:

$template timeandhost_auth, "/var/log/rsyslog/%FROMHOST%/%$YEAR%/%$MONTH%/%FROMHOST%-%$NOW%-auth.log"
$template timeandhost_syslog, "/var/log/rsyslog/%FROMHOST%/%$YEAR%/%$MONTH%/%FROMHOST%-%$NOW%-syslog.log"

if $source != 'mybox' then ?timeandhost_syslog
if $source != 'mybox' and ($syslogfacility-text == 'authpriv' or $syslogfacility-text == 'auth') then ?timeandhost_auth
if $syslogfacility-text == 'cron' then -/var/log/cron.log

if $source == 'mybox' and ($syslogfacility-text == 'authpriv' or $syslogfacility-text == 'auth') then /var/log/auth.log
if $source == 'mybox' then -/var/log/syslog

if $source == 'mybox' and $syslogfacility-text == 'daemon' then -/var/log/daemon.log
if $source == 'mybox' and $syslogfacility-text == 'kern' then -/var/log/kern.log

The example config for what I wanted to do was wrong. The source is not 'localhost', but whatever the local dns name is ('mybox').

I also had to change $FileGroup to 'syslog' from 'adm' to make it work, even though this shouldn't have mattered. Without this I was getting 'Could not open dynamic file' errors where the file would be created with the right permissions and ownership, but rsyslogd then couldn't write to it.

No comments: