A dead simple tutorial on how to forward Rsyslog messages to a file

Since about 3 weeks I have been working with Rsyslog. I have been configuring it in various ways, trying different plugins etc.

This article is written to be referred as a handy guide to configure Rsyslog to forward logs to a file. It is not meant to be an exhaustive guide to do the same work.

It is plugin based system that takes input from various systems through its variety of plugins and forwards those logs that it has received to a wide variety of destination that includes search engines like Elasticsearch, message queue like RabbitMQ, database like MySQL to locations like file, named pipe etc.

If you don’t find the plugin you are looking for, you can create your own.

The advantage of Rsyslog is it comes as a default log forwarding utility with Linux so you don’t have to introduce external dependency.

Here We will talk about an output plugin of Rsyslog called omfile. It is a built in module which means you don’t have to load it explicitly. It is used to write messages to a file residing on local file system.

In the example given below We will forward error messages to separate file.

Follow the steps given below to configure Rsyslog.

You can change the file path from /tmp/error.log to something else. This configuration can be put in master configuration file of Rsyslog called /etc/rsyslog.conf but a minor mistake can break your working Rsyslog installation so it is considered as a good practice to create a separate file with your configuration in /etc/rsyslog.d/ directory.

The word action specifies an Action object in Rsyslog that describes what to do with message. Like we have an attributes of object in programming languages, we have various parameters related to Action. Some of them are general and applies to all modules and some are action specific.

type attribute is a string argument that specifies the module to be used. It is mandatory for every action. Here we use a module called omfile and so we specify type as omfile. omfile

2. systemctl restart rsyslog

This command restarts Rsyslog and loads a configuration file that we created.

3. logger -i -p local3.err “Error in connecting to database”

This command sends a message with severity error in syslog.

4. tail -f /tmp/error.log

Execute above command in another terminal and you can see messages coming there.

If you don’t see messages in output file then you can check the following things.

rsyslogd -N1 -f /etc/rsyslog.d/0-filefwd.conf

2. Check if output file has sufficient permissions to write to it.

There are other softwares like syslog-ng, FluentD, Logstash, GreyLog2 also available as an alternative to Rsyslog.

Related posts:

This first pattern may appear to be irrational. In the event that customers are progressively inspired by maintainability, by what method would sustainability be able to give less brand advantage…