Mailing List Archive

Centos 7 - Splitting rsyslog messages to different log files
Hello !



On a centos 7, I got haproxy. I would like to split the logs from haproxy to different log files. So in /etc/rsyslog.d, I have created the following:



# Collect log with UDP

$ModLoad imudp

$UDPServerAddress 127.0.0.1

$UDPServerRun 514



# Creating separate log files based on the severity

local0.notice /var/log/haproxy-admin.log

& stop

if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log

& stop

local0.* /var/log/haproxy-traffic.log

& stop





I should so get 3 differents files:
haproxy-admin.log with all notice messages
wp1.log with all messages containing ‘http_back’ in it
haproxy-traffic with the rest of messages


But I only get the first and the third one. I guess that there is a mistake in the line:

if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log



I am not so familiar with rsyslog (that’s the first time I am trying to do such a thing) so I do not know how I could check the content of the 2 variables: $programname and $msg.

Any advice on that?



Thx in advance!

Lydie

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Centos 7 - Splitting rsyslog messages to different log files [ In reply to ]
write logs with the template RSYSLOG_DebugFormat and look at the result. I'd bet
that the programname isn't what you expect, or that your first filter is
matching everything that your second would, and since you stop processing logs
that match the first filter, nothing is left to match the second one.

David Lang

On Tue, 22
Sep 2020, Venizia via rsyslog wrote:

> Date: Tue, 22 Sep 2020 08:32:04 +0200
> From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Venizia <venizia03@gmail.com>
> Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to different log
> files
>
> Hello !
>
>
>
> On a centos 7, I got haproxy. I would like to split the logs from haproxy to different log files. So in /etc/rsyslog.d, I have created the following:
>
>
>
> # Collect log with UDP
>
> $ModLoad imudp
>
> $UDPServerAddress 127.0.0.1
>
> $UDPServerRun 514
>
>
>
> # Creating separate log files based on the severity
>
> local0.notice /var/log/haproxy-admin.log
>
> & stop
>
> if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
>
> & stop
>
> local0.* /var/log/haproxy-traffic.log
>
> & stop
>
>
>
>
>
> I should so get 3 differents files:
> haproxy-admin.log with all notice messages
> wp1.log with all messages containing ‘http_back’ in it
> haproxy-traffic with the rest of messages
>
>
> But I only get the first and the third one. I guess that there is a mistake in the line:
>
> if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
>
>
>
> I am not so familiar with rsyslog (that’s the first time I am trying to do such a thing) so I do not know how I could check the content of the 2 variables: $programname and $msg.
>
> Any advice on that?
>
>
>
> Thx in advance!
>
> Lydie
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Centos 7 - Splitting rsyslog messages to different log files [ In reply to ]
Thx David.

it looks like the programname variable is not set:

1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 - [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} - 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1"

1031.909523552:imudp.c : msg parser: flags 70, from '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 6252'

Is this due to the format of the log?

Thx!

?Le 22/09/20 10:12, « David Lang » <david@lang.hm> a écrit :

write logs with the template RSYSLOG_DebugFormat and look at the result. I'd bet
that the programname isn't what you expect, or that your first filter is
matching everything that your second would, and since you stop processing logs
that match the first filter, nothing is left to match the second one.

David Lang

On Tue, 22
Sep 2020, Venizia via rsyslog wrote:

> Date: Tue, 22 Sep 2020 08:32:04 +0200
> From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Venizia <venizia03@gmail.com>
> Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to different log
> files
>
> Hello !
>
>
>
> On a centos 7, I got haproxy. I would like to split the logs from haproxy to different log files. So in /etc/rsyslog.d, I have created the following:
>
>
>
> # Collect log with UDP
>
> $ModLoad imudp
>
> $UDPServerAddress 127.0.0.1
>
> $UDPServerRun 514
>
>
>
> # Creating separate log files based on the severity
>
> local0.notice /var/log/haproxy-admin.log
>
> & stop
>
> if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
>
> & stop
>
> local0.* /var/log/haproxy-traffic.log
>
> & stop
>
>
>
>
>
> I should so get 3 differents files:
> haproxy-admin.log with all notice messages
> wp1.log with all messages containing ‘http_back’ in it
> haproxy-traffic with the rest of messages
>
>
> But I only get the first and the third one. I guess that there is a mistake in the line:
>
> if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
>
>
>
> I am not so familiar with rsyslog (that’s the first time I am trying to do such a thing) so I do not know how I could check the content of the 2 variables: $programname and $msg.
>
> Any advice on that?
>
>
>
> Thx in advance!
>
> Lydie
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Centos 7 - Splitting rsyslog messages to different log files [ In reply to ]
what does the debugformat version of the log look like?


On Tue, 22 Sep 2020, Venizia via rsyslog wrote:

> Date: Tue, 22 Sep 2020 18:19:48 +0200
> From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Venizia <venizia03@gmail.com>
> Subject: Re: [rsyslog] Centos 7 - Splitting rsyslog messages to different log
> files
>
> Thx David.
>
> it looks like the programname variable is not set:
>
> 1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 - [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} - 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1"
>
> 1031.909523552:imudp.c : msg parser: flags 70, from '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 6252'
>
> Is this due to the format of the log?
>
> Thx!
>
> ?Le 22/09/20 10:12, « David Lang » <david@lang.hm> a écrit :
>
> write logs with the template RSYSLOG_DebugFormat and look at the result. I'd bet
> that the programname isn't what you expect, or that your first filter is
> matching everything that your second would, and since you stop processing logs
> that match the first filter, nothing is left to match the second one.
>
> David Lang
>
> On Tue, 22
> Sep 2020, Venizia via rsyslog wrote:
>
> > Date: Tue, 22 Sep 2020 08:32:04 +0200
> > From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Venizia <venizia03@gmail.com>
> > Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to different log
> > files
> >
> > Hello !
> >
> >
> >
> > On a centos 7, I got haproxy. I would like to split the logs from haproxy to different log files. So in /etc/rsyslog.d, I have created the following:
> >
> >
> >
> > # Collect log with UDP
> >
> > $ModLoad imudp
> >
> > $UDPServerAddress 127.0.0.1
> >
> > $UDPServerRun 514
> >
> >
> >
> > # Creating separate log files based on the severity
> >
> > local0.notice /var/log/haproxy-admin.log
> >
> > & stop
> >
> > if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
> >
> > & stop
> >
> > local0.* /var/log/haproxy-traffic.log
> >
> > & stop
> >
> >
> >
> >
> >
> > I should so get 3 differents files:
> > haproxy-admin.log with all notice messages
> > wp1.log with all messages containing ‘http_back’ in it
> > haproxy-traffic with the rest of messages
> >
> >
> > But I only get the first and the third one. I guess that there is a mistake in the line:
> >
> > if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log
> >
> >
> >
> > I am not so familiar with rsyslog (that’s the first time I am trying to do such a thing) so I do not know how I could check the content of the 2 variables: $programname and $msg.
> >
> > Any advice on that?
> >
> >
> >
> > Thx in advance!
> >
> > Lydie
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Centos 7 - Splitting rsyslog messages to different log files [ In reply to ]
What do you mean exactly?

Le mar. 22 sept. 2020 à 21:35, David Lang <david@lang.hm> a écrit :

> what does the debugformat version of the log look like?
>
>
> On Tue, 22 Sep 2020, Venizia via rsyslog wrote:
>
> > Date: Tue, 22 Sep 2020 18:19:48 +0200
> > From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Venizia <venizia03@gmail.com>
> > Subject: Re: [rsyslog] Centos 7 - Splitting rsyslog messages to
> different log
> > files
> >
> > Thx David.
> >
> > it looks like the programname variable is not set:
> >
> > 1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22
> 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 -
> [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} -
> 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1"
> >
> > 1031.909523552:imudp.c : msg parser: flags 70, from
> '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX -
> 6252'
> >
> > Is this due to the format of the log?
> >
> > Thx!
> >
> > ?Le 22/09/20 10:12, « David Lang » <david@lang.hm> a écrit :
> >
> > write logs with the template RSYSLOG_DebugFormat and look at the
> result. I'd bet
> > that the programname isn't what you expect, or that your first filter
> is
> > matching everything that your second would, and since you stop
> processing logs
> > that match the first filter, nothing is left to match the second one.
> >
> > David Lang
> >
> > On Tue, 22
> > Sep 2020, Venizia via rsyslog wrote:
> >
> > > Date: Tue, 22 Sep 2020 08:32:04 +0200
> > > From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
> > > To: rsyslog@lists.adiscon.com
> > > Cc: Venizia <venizia03@gmail.com>
> > > Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to
> different log
> > > files
> > >
> > > Hello !
> > >
> > >
> > >
> > > On a centos 7, I got haproxy. I would like to split the logs from
> haproxy to different log files. So in /etc/rsyslog.d, I have created the
> following:
> > >
> > >
> > >
> > > # Collect log with UDP
> > >
> > > $ModLoad imudp
> > >
> > > $UDPServerAddress 127.0.0.1
> > >
> > > $UDPServerRun 514
> > >
> > >
> > >
> > > # Creating separate log files based on the severity
> > >
> > > local0.notice /var/log/haproxy-admin.log
> > >
> > > & stop
> > >
> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then
> /var/log/haproxy/wp1.log
> > >
> > > & stop
> > >
> > > local0.* /var/log/haproxy-traffic.log
> > >
> > > & stop
> > >
> > >
> > >
> > >
> > >
> > > I should so get 3 differents files:
> > > haproxy-admin.log with all notice messages
> > > wp1.log with all messages containing ‘http_back’ in it
> > > haproxy-traffic with the rest of messages
> > >
> > >
> > > But I only get the first and the third one. I guess that there is a
> mistake in the line:
> > >
> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then
> /var/log/haproxy/wp1.log
> > >
> > >
> > >
> > > I am not so familiar with rsyslog (that’s the first time I am
> trying to do such a thing) so I do not know how I could check the content
> of the 2 variables: $programname and $msg.
> > >
> > > Any advice on that?
> > >
> > >
> > >
> > > Thx in advance!
> > >
> > > Lydie
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Centos 7 - Splitting rsyslog messages to different log files [ In reply to ]
ok I found the issue. I changed the part:
$msg contains "~ http_back/"
to
$msg contains "http_back"

and it works :)

Have a nice day!

Le mar. 22 sept. 2020 à 23:39, Venizia <venizia03@gmail.com> a écrit :

> What do you mean exactly?
>
> Le mar. 22 sept. 2020 à 21:35, David Lang <david@lang.hm> a écrit :
>
>> what does the debugformat version of the log look like?
>>
>>
>> On Tue, 22 Sep 2020, Venizia via rsyslog wrote:
>>
>> > Date: Tue, 22 Sep 2020 18:19:48 +0200
>> > From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
>> > To: rsyslog@lists.adiscon.com
>> > Cc: Venizia <venizia03@gmail.com>
>> > Subject: Re: [rsyslog] Centos 7 - Splitting rsyslog messages to
>> different log
>> > files
>> >
>> > Thx David.
>> >
>> > it looks like the programname variable is not set:
>> >
>> > 1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22
>> 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 -
>> [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} -
>> 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1"
>> >
>> > 1031.909523552:imudp.c : msg parser: flags 70, from
>> '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX -
>> 6252'
>> >
>> > Is this due to the format of the log?
>> >
>> > Thx!
>> >
>> > ?Le 22/09/20 10:12, « David Lang » <david@lang.hm> a écrit :
>> >
>> > write logs with the template RSYSLOG_DebugFormat and look at the
>> result. I'd bet
>> > that the programname isn't what you expect, or that your first
>> filter is
>> > matching everything that your second would, and since you stop
>> processing logs
>> > that match the first filter, nothing is left to match the second one.
>> >
>> > David Lang
>> >
>> > On Tue, 22
>> > Sep 2020, Venizia via rsyslog wrote:
>> >
>> > > Date: Tue, 22 Sep 2020 08:32:04 +0200
>> > > From: Venizia via rsyslog <rsyslog@lists.adiscon.com>
>> > > To: rsyslog@lists.adiscon.com
>> > > Cc: Venizia <venizia03@gmail.com>
>> > > Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to
>> different log
>> > > files
>> > >
>> > > Hello !
>> > >
>> > >
>> > >
>> > > On a centos 7, I got haproxy. I would like to split the logs from
>> haproxy to different log files. So in /etc/rsyslog.d, I have created the
>> following:
>> > >
>> > >
>> > >
>> > > # Collect log with UDP
>> > >
>> > > $ModLoad imudp
>> > >
>> > > $UDPServerAddress 127.0.0.1
>> > >
>> > > $UDPServerRun 514
>> > >
>> > >
>> > >
>> > > # Creating separate log files based on the severity
>> > >
>> > > local0.notice /var/log/haproxy-admin.log
>> > >
>> > > & stop
>> > >
>> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then
>> /var/log/haproxy/wp1.log
>> > >
>> > > & stop
>> > >
>> > > local0.* /var/log/haproxy-traffic.log
>> > >
>> > > & stop
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > I should so get 3 differents files:
>> > > haproxy-admin.log with all notice messages
>> > > wp1.log with all messages containing ‘http_back’ in it
>> > > haproxy-traffic with the rest of messages
>> > >
>> > >
>> > > But I only get the first and the third one. I guess that there is
>> a mistake in the line:
>> > >
>> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then
>> /var/log/haproxy/wp1.log
>> > >
>> > >
>> > >
>> > > I am not so familiar with rsyslog (that’s the first time I am
>> trying to do such a thing) so I do not know how I could check the content
>> of the 2 variables: $programname and $msg.
>> > >
>> > > Any advice on that?
>> > >
>> > >
>> > >
>> > > Thx in advance!
>> > >
>> > > Lydie
>> > >
>> > > _______________________________________________
>> > > rsyslog mailing list
>> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>> >
>> >
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.