A dead simple tutorial on how to forward Rsyslog messages to a file
Since about 3 weeks I have been working with Rsyslog. I have been configuring it in various ways, trying different plugins etc.
This article is written to be referred as a handy guide to configure Rsyslog to forward logs to a file. It is not meant to be an exhaustive guide to do the same work.
A brief about Rsyslog
Rsyslog is an open-source software available for use on Unix systems. It is used to forward system logs to various destinations located locally or remotely over an IP network. It was developed by a German software engineer Rainer Gerhards.
It is plugin based system that takes input from various systems through its variety of plugins and forwards those logs that it has received to a wide variety of destination that includes search engines like Elasticsearch, message queue like RabbitMQ, database like MySQL to locations like file, named pipe etc.
If you don’t find the plugin you are looking for, you can create your own.
The advantage of Rsyslog is it comes as a default log forwarding utility with Linux so you don’t have to introduce external dependency.
Here We will talk about an output plugin of Rsyslog called omfile. It is a built in module which means you don’t have to load it explicitly. It is used to write messages to a file residing on local file system.
This article assumes that you have Rsyslog installed and working on your system. If not, you can read it here about how to do it.
In the example given below We will forward error messages to separate file.
Follow the steps given below to configure Rsyslog.
- Create a file /etc/rsyslog.d/0-filefwd.conf with following content.
You can change the file path from /tmp/error.log to something else. This configuration can be put in master configuration file of Rsyslog called /etc/rsyslog.conf but a minor mistake can break your working Rsyslog installation so it is considered as a good practice to create a separate file with your configuration in /etc/rsyslog.d/ directory.
$syslogseverity is a property of a message that Rsyslog exposes. You can read more about syslog severity levels at https://en.wikipedia.org/wiki/Syslog#Severity_level.
The word action specifies an Action object in Rsyslog that describes what to do with message. Like we have an attributes of object in programming languages, we have various parameters related to Action. Some of them are general and applies to all modules and some are action specific.
type attribute is a string argument that specifies the module to be used. It is mandatory for every action. Here we use a module called omfile and so we specify type as omfile. omfile
file attribute is again a string argument that specifies the name of destination file Rsyslog will forward logs to. The owner, group and permission can be changed using various parameters like dirCreateMode, dirOwner, fileCreateMode, fileOwner etc. You can learn about various parameters at https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html.
2. systemctl restart rsyslog
This command restarts Rsyslog and loads a configuration file that we created.
3. logger -i -p local3.err “Error in connecting to database”
This command sends a message with severity error in syslog.
4. tail -f /tmp/error.log
Execute above command in another terminal and you can see messages coming there.
Troubleshooting
If you don’t see messages in output file then you can check the following things.
- Verify your configuration using command given below.
rsyslogd -N1 -f /etc/rsyslog.d/0-filefwd.conf
2. Check if output file has sufficient permissions to write to it.
There are other softwares like syslog-ng, FluentD, Logstash, GreyLog2 also available as an alternative to Rsyslog.
