I have a program which outputs to syslog with a given tag/program name. I'd like to be able to filter syslog traffic from that program and send it to a remote syslog server, leaving all other syslog traffic local.
I can send all traffic to the remote server with
*.* @remote_server
How do I filter it?
Rsyslog config files are located in: /etc/rsyslog.d/*.conf
Rsyslog reads the conf files sequentially, so it is important that you name your config file so that the specific config is loaded before anything else happens. So, name your file starting with leading zero's, i.e. 00-my-file.conf. It's better to create a new file so that updates and so on doesn't overwrite your local config.
Example:
if $programname == 'programname' and $msg contains 'a text string' and $syslogseverity <= '6' then /var/log/custom/bind.log
Or if you just want to discard certain entries:
if $programname == 'programname' then ~
In your case: (UDP)
if $programname == 'programname' then @remote.syslog.server
& ~
Or (TCP)
if $programname == 'programname' then @@remote.syslog.server
& ~
The & ~ means to stop processing matching (previous line only!) entries further.
Some more general info:
Also, always make sure filters are on the same line:
# Example: Log mail server control messages to mail-queue.log
if $hostname == 'titus'
and $programname == 'smtp.queue.'
and $syslogseverity <= '6' then /var/log/titus/mail-queue.log
& ~
Usefull filters:
$hostname
$programname
$msg
$syslogseverity
Operators:
== (equals)
contains
and
or
More info: http://wiki.rsyslog.com/index.php/Configuration_Samples
