LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Configuring more than one custom file in syslog (https://www.linuxquestions.org/questions/linux-enterprise-47/configuring-more-than-one-custom-file-in-syslog-4175557863/)

carpannav 11-03-2015 08:47 AM
Configuring more than one custom file in syslog
 
Hello,

I've been asked to setup syslog to forward custom log files (different from /var/log/*) to a network machine.
After some googling found the solution for one file, using the next paragraph in /etc/rsyslog.conf:

$ModLoad imfile
$InputFileName /var/log/vco/app-server/warning.log
$InputFileTag vco-warning
$InputFileStateFile stat-vco-warning
$InputFileSeverity warning
$InputFileFacility local3
$InputRunFileMonitor
local3.* @@172.17.11.11:514

But if I try to configure another file (like you can see below), the first stops working and only the second one is forwarded.


$InputFileName /var/log/vco/app-server/catalina.out
$InputFileTag vco-catalina
$InputFileStateFile stat-vco-catalina
$InputFileSeverity warning
$InputFileFacility local4
$InputRunFileMonitor
local4.* @@172.17.11.11:514

Does anyone know how to enable forwarding for more than one custom file to a remote syslog?

Thank you so much!

Habitual 11-04-2015 01:26 PM
Here's a 'watchfile' I have from my Archived notes.
It forwards 2 files.
Code:
### edit /etc/rsyslog.d/10-watchfile.conf

# apache error.log
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-errors:
$InputFileStateFile state_file_error_apache
$InputFileFacility local6
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10

# apache access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile state_file_access_apache
$InputFileFacility local6
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10

if $programname == 'apache-access' then @xx.xx.xxx.xxx:514
& stop
if $programname == 'apache-errors' then @xx.xx.xxx.xxx:514
& stop
I abandoned this arrangement in favor of logstash-forwarder.
Hope this is useful for you.

carpannav 11-06-2015 05:32 AM
It's working now.

I made one mistake. If you put it in the main file it doesn't work. Needs to be in a separate file in /etc/rsyslog.d !!



Thanks Habitual!!! ;)

Habitual 11-06-2015 08:38 AM
Rock on. Glad it worked out.
And Welcome to LQ!


All times are GMT -5. The time now is 03:56 AM.