Mailing List Archive

Display the custom token automatically in the original syslog messages generated by rsyslog
We have purchased a cloud based application with multi tenant support that we have deployed for our selves and a number of our customers. This particular cloud based application has a custom token assigned and defined for each and every customer that we have including our selves for the ease of identification.

* This cloud based application that we're using at the moment has a section in its' settings to configure the SYSLOG connectivity details of the preferred syslog application / service such as rsyslog or syslog-ng with the IP / hostname of the syslog server, tcp / udp port, syslog severity, syslog facility and etc and it is in that very section or should I say location where the option for the custom token is also defined. We were also able to confirm with the vendor that the option to output the custom token through SYSLOG is readily available.

*
However, when rsyslog was deployed on an Ubuntu Server VM and connected to this particular cloud based application it started sending all the SYSLOG data without an issue except for the custom token and now we have a hard time distinguishing between which syslog message belongs to which customer.

* We don't want to manually add the custom token details in a template or a JSON script in the rsyslog.conf file as it will become quite cumbersome to manage with the increasing number of customers in the future.

*
What we simply want is for all the original SYSLOG messages generated by the rsyslog server to display the custom token automatically without any manual configuration of the custom token in the rsyslog.conf configuration file.

Any suggestion on how to achieve this is greatly appreciated.

Below is the rsyslog.conf file used in our rsyslog Ubuntu Server VM deployment:

* # /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="6514")

# Template 1
$template RemoteSource, "/var/log/%FROMHOST-IP%.log"
*.* ?RemoteSource


# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


Rgds,

Amila


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Display the custom token automatically in the original syslog messages generated by rsyslog [ In reply to ]
you will have to define a template for your custom token because no default
template is going to know about your token

The instruction on how to configure rsyslog to send the message with the token
(which you don't include, so we can't know how that app wants the token include
creating a template and configuring rsyslog to use the new template to deliver
the message.

If you can show us those instructions, and talk about how you would decide which
token to use, we can help you adapt the instructions to a multi-customer
environment.

But without more information, anything we would say would be a guess.

David Lang


On Wed, 19 Feb 2020, Amila Dias via rsyslog wrote:

> Date: Wed, 19 Feb 2020 03:30:14 +0000
> From: Amila Dias via rsyslog <rsyslog@lists.adiscon.com>
> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
> Cc: Amila Dias <Amila.Dias@quantei.com>
> Subject: [rsyslog] Display the custom token automatically in the original
> syslog messages generated by rsyslog
>
> We have purchased a cloud based application with multi tenant support that we have deployed for our selves and a number of our customers. This particular cloud based application has a custom token assigned and defined for each and every customer that we have including our selves for the ease of identification.
>
> * This cloud based application that we're using at the moment has a section in its' settings to configure the SYSLOG connectivity details of the preferred syslog application / service such as rsyslog or syslog-ng with the IP / hostname of the syslog server, tcp / udp port, syslog severity, syslog facility and etc and it is in that very section or should I say location where the option for the custom token is also defined. We were also able to confirm with the vendor that the option to output the custom token through SYSLOG is readily available.
>
> *
> However, when rsyslog was deployed on an Ubuntu Server VM and connected to this particular cloud based application it started sending all the SYSLOG data without an issue except for the custom token and now we have a hard time distinguishing between which syslog message belongs to which customer.
>
> * We don't want to manually add the custom token details in a template or a JSON script in the rsyslog.conf file as it will become quite cumbersome to manage with the increasing number of customers in the future.
>
> *
> What we simply want is for all the original SYSLOG messages generated by the rsyslog server to display the custom token automatically without any manual configuration of the custom token in the rsyslog.conf configuration file.
>
> Any suggestion on how to achieve this is greatly appreciated.
>
> Below is the rsyslog.conf file used in our rsyslog Ubuntu Server VM deployment:
>
> * # /etc/rsyslog.conf Configuration file for rsyslog.
> #
> # For more information see
> # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
> #
> # Default logging rules can be found in /etc/rsyslog.d/50-default.conf
>
>
> #################
> #### MODULES ####
> #################
>
> module(load="imuxsock") # provides support for local system logging
> #module(load="immark") # provides --MARK-- message capability
>
> # provides UDP syslog reception
> #module(load="imudp")
> #input(type="imudp" port="514")
>
> # provides TCP syslog reception
> module(load="imtcp")
> input(type="imtcp" port="6514")
>
> # Template 1
> $template RemoteSource, "/var/log/%FROMHOST-IP%.log"
> *.* ?RemoteSource
>
>
> # provides kernel logging support and enable non-kernel klog messages
> module(load="imklog" permitnonkernelfacility="on")
>
> ###########################
> #### GLOBAL DIRECTIVES ####
> ###########################
>
> #
> # Use traditional timestamp format.
> # To enable high precision timestamps, comment out the following line.
> #
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> # Filter duplicated messages
> $RepeatedMsgReduction on
>
> #
> # Set the default permissions for all log files.
> #
> $FileOwner syslog
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
> $PrivDropToUser syslog
> $PrivDropToGroup syslog
>
> #
> # Where to place spool and state files
> #
> $WorkDirectory /var/spool/rsyslog
>
> #
> # Include all config files in /etc/rsyslog.d/
> #
> $IncludeConfig /etc/rsyslog.d/*.conf
>
>
> Rgds,
>
> Amila
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.