How do I configure rsyslog to send logs from a specific program to a remote syslog server?

Rsyslog config files are located in: /etc/rsyslog.d/*.conf

Rsyslog reads the conf files sequentially, so it is important that you name your config file so that the specific config is loaded before anything else happens. So, name your file starting with leading zero's, i.e. 00-my-file.conf. It's better to create a new file so that updates and so on doesn't overwrite your local config.

Example:

if $programname == 'programname' and $msg contains 'a text string' and $syslogseverity <= '6' then /var/log/custom/bind.log

Or if you just want to discard certain entries:

if $programname == 'programname' then ~

In your case: (UDP)

if $programname == 'programname' then @remote.syslog.server
& ~

Or (TCP)

if $programname == 'programname' then @@remote.syslog.server
& ~

The & ~ means to stop processing matching (previous line only!) entries further.

Some more general info:

Also, always make sure filters are on the same line:

# Example: Log mail server control messages to mail-queue.log
if $hostname == 'titus'\
and $programname == 'smtp.queue.'\
and $syslogseverity <= '6' then /var/log/titus/mail-queue.log
& ~

Usefull filters:

$hostname
$programname
$msg
$syslogseverity

Operators:

== (equals)
contains
and
or

More info: http://wiki.rsyslog.com/index.php/Configuration_Samples

How do I configure rsyslog to send logs from a specific program to a remote syslog server?

Tags:

Syslog

Rsyslog

Related

Recent Posts