Rsyslog is one of those tools that is on every modern Linux distro, but I never got to read the manual about it. The website of rsyslog is rather complex and not really attracting me to read it.  In essence rsyslog is just a logging mechanism. However it is so full featured, that configuration gets complex quick, a downside of powerful tools… I don’t want to have a complex logging setup, most people are looking for simple “hacks”. Like centralizing rsyslog output.


For example, I have an application I would like to have filtered out from /var/log/messages, why ? Well /var/log/messages is full of “useless verbose/debug output”. In this example server (centos 7.1) I have messages from dhclient, chronyd, dbus, dbus-deamon, NetworkManager (euhk?), kernel messages from a IBM kernel module, …  So its pretty messy, I could filter out all applications, but many of these are essential and work together, hence when a problem occurs its easy to have them in one place. My application however, is not really connected to the “state” of the machine, While I could just create my own logging mechanism, other developers/sysadmins will first look in /var/log/*, so why reinvent the wheel ? My target :

in blue, services sending logging to /var/log/messages, in red my application that is sending to /var/log/tape, using rsyslog's filters.

in blue, services sending logging to /var/log/messages, in red my application that is sending to /var/log/tape, using rsyslog’s filters.

Solution
My application calls logger (/usr/bin/logger) with a  -t from tag (I guess). By default they are logged in /var/log/messages. It is however possible to filter them out and put them in a separate file.

create /etc/rsyslog.d/tape.conf

# separate tape logging in a separate file
if $programname == 'tape' then /var/log/tape.log
& stop

The first line is going to look for “-t tape” and store them in /var/log/tape.log, the second line is telling rsyslog that’s pretty much it. Earlier versions of rsyslog also accepted &~ this is however deprecated, now the keyword stop seems to do it.

This would catch log messages such :

logger -t tape "my tapelog message"

Don’t forget to reload rsyslog first. (restart would also work)

service rsyslog reload

pretty sure there are cleaner ways to do it, but this works. Hooray for small easy hacks!