Mailing List Archive

How to redirect rsyslog messges from a specific unix socket to a different log file
Hi,

I have been trying to implement separate logging for haproxy.
But I end up with duplicate logging and can't separate logs based on the
input socket or facility alone.

My sample configuration in haproxy:

Global configuration:
log /dev/log len 1024 format local local0 debug

Frontend -1 configuration (for Web requests):
log /dev/request-log len 1024 format local local1
debug

Frontend-2 configuration (for DB requests):
log /dev/db-log len 1024 format local local2 debug

So here I was basically trying to redirect logs to different sockets and
additionally I also used different facilities for each, because I don't
know how to redirect messages based on input socket.

And in rsyslog configuration, I added the following:

$AddUnixListenSocket /var/lib/haproxy/dev/log
local0.* /var/log/haproxy/haproxy.log
$AddUnixListenSocket /var/lib/haproxy/dev/request-log
local2.* /var/log/haproxy/requests.log
$AddUnixListenSocket /var/lib/haproxy/dev/db-log
local3.* /var/log/haproxy/db.log


But all the above log files have the same logging i.e., web request
logging, db logging and other haproxy logging all are duplicated in these
three files.and including default /var/log/messages.

Complete rsyslog.conf:

$ModLoad imuxsock
$ModLoad imjournal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogSocketName /run/systemd/journal/syslog
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local1.* /var/log/keepalived.log
$AddUnixListenSocket /var/lib/haproxy/dev/log
local0.* /var/log/haproxy/haproxy.log
$AddUnixListenSocket /var/lib/haproxy/dev/request-log
local2.* /var/log/haproxy/requests.log
$AddUnixListenSocket /var/lib/haproxy/dev/db-log
local3.* /var/log/haproxy/db.log

I see it works correctly if I use something like this instead of using
facility: (i..e, no duplication happens)
:programname, startswith, "haproxy" {
/var/log/haproxy/haproxy.log
stop
}

But it is unwanted extra processing when it could be easy to filter out
messages based on input socket or facility name.
Can anyone help me understand why the duplication is happening, but not in
the case for other default sections like cron, mail, authpriv etc. where
there is no duplication.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: How to redirect rsyslog messges from a specific unix socket to a different log file [ In reply to ]
you can't do it using the legacy syntax, what you would need to do is to create
a ruleset for each socket that you want to use and have that ruleset write to
the file.

however, you should be able to filter on other data, please log some messages
uisng the RSYSLOG_DebugFormat template and look at the variables set, I expect
that one of them (probably input, but I'm not 100% sure without trying it
myself) will show the socket name that you received the log from (and there may
be other data in the log message that you can filter on)

But using a ruleset for each input will clearly work.

David Lang

On Fri, 14 Oct 2022, Jeevan Patnaik via rsyslog wrote:

> Date: Fri, 14 Oct 2022 17:11:28 +0530
> From: Jeevan Patnaik via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Jeevan Patnaik <g1patnaik@gmail.com>
> Subject: [rsyslog] How to redirect rsyslog messges from a specific unix socket
> to a different log file
>
> Hi,
>
> I have been trying to implement separate logging for haproxy.
> But I end up with duplicate logging and can't separate logs based on the
> input socket or facility alone.
>
> My sample configuration in haproxy:
>
> Global configuration:
> log /dev/log len 1024 format local local0 debug
>
> Frontend -1 configuration (for Web requests):
> log /dev/request-log len 1024 format local local1
> debug
>
> Frontend-2 configuration (for DB requests):
> log /dev/db-log len 1024 format local local2 debug
>
> So here I was basically trying to redirect logs to different sockets and
> additionally I also used different facilities for each, because I don't
> know how to redirect messages based on input socket.
>
> And in rsyslog configuration, I added the following:
>
> $AddUnixListenSocket /var/lib/haproxy/dev/log
> local0.* /var/log/haproxy/haproxy.log
> $AddUnixListenSocket /var/lib/haproxy/dev/request-log
> local2.* /var/log/haproxy/requests.log
> $AddUnixListenSocket /var/lib/haproxy/dev/db-log
> local3.* /var/log/haproxy/db.log
>
>
> But all the above log files have the same logging i.e., web request
> logging, db logging and other haproxy logging all are duplicated in these
> three files.and including default /var/log/messages.
>
> Complete rsyslog.conf:
>
> $ModLoad imuxsock
> $ModLoad imjournal
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $SystemLogSocketName /run/systemd/journal/syslog
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> local1.* /var/log/keepalived.log
> $AddUnixListenSocket /var/lib/haproxy/dev/log
> local0.* /var/log/haproxy/haproxy.log
> $AddUnixListenSocket /var/lib/haproxy/dev/request-log
> local2.* /var/log/haproxy/requests.log
> $AddUnixListenSocket /var/lib/haproxy/dev/db-log
> local3.* /var/log/haproxy/db.log
>
> I see it works correctly if I use something like this instead of using
> facility: (i..e, no duplication happens)
> :programname, startswith, "haproxy" {
> /var/log/haproxy/haproxy.log
> stop
> }
>
> But it is unwanted extra processing when it could be easy to filter out
> messages based on input socket or facility name.
> Can anyone help me understand why the duplication is happening, but not in
> the case for other default sections like cron, mail, authpriv etc. where
> there is no duplication.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.