While Rsyslog is commonly used for system-level logging, forwarding application-specific logs requires additional configuration. The main challenge lies in properly identifying the log source and directing it to the remote server while maintaining proper format and priority.
Instead of using IncludeConfig, we'll create a dedicated configuration for your application logs. Here's a basic template:
# /etc/rsyslog.d/20-appname.conf $ModLoad imfile $InputFileName /opt/appname/logs/application.log $InputFileTag appname: $InputFileStateFile stat-appname $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor local7.* @@remote-syslog-server:514
For more complex scenarios, consider these enhancements:
# For multiple log files $InputFilePollInterval 10 $InputFilePersistStateInterval 1 # Template for custom log format $template AppTemplate,"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\\n" # Specifying multiple log files $InputFileName /opt/appname/logs/error.log $InputFileTag appname-error: $InputFileStateFile stat-appname-error $InputFileSeverity error $InputRunFileMonitor $InputFileName /opt/appname/logs/debug.log $InputFileTag appname-debug: $InputFileStateFile stat-appname-debug $InputFileSeverity debug $InputRunFileMonitor
To properly handle log rotation, add these parameters:
$InputFileReadMode 2 $InputFileMaxLinesAtOnce 1000 $InputFileMaxSubmitAtOnce 1024
After making changes, test your configuration:
sudo rsyslogd -N1 sudo systemctl restart rsyslog tail -f /var/log/syslog | grep appname
- Check file permissions on /opt/appname/logs/
- Verify network connectivity to remote syslog server
- Inspect /var/log/rsyslog.log for errors
- Ensure sufficient inotify watches (sysctl fs.inotify.max_user_watches)
When setting up centralized logging, many developers successfully configure Rsyslog for system-level logs but struggle with application-specific logs. The common pain point emerges when applications write logs to custom directories like /opt/appname/logs rather than standard locations.
While IncludeConfig can work for loading additional configuration files, it's not the most direct solution for monitoring specific log files. A more elegant approach uses Rsyslog's imfile module to actively monitor application log files.
Here's a complete configuration example to monitor application logs:
# Load required modules
module(load="imfile" PollingInterval="10")
module(load="omfwd")
# Define template for remote logging
template(name="AppLogFormat" type="string"
string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %app-name% %msg%\n")
# Monitor application log file
input(type="imfile"
File="/opt/appname/logs/app.log"
Tag="appname"
Severity="info"
Facility="local7"
Ruleset="forwardToRemote")
# Define ruleset for forwarding
ruleset(name="forwardToRemote") {
action(type="omfwd"
Target="logs.example.com"
Port="514"
Protocol="tcp"
Template="AppLogFormat"
queue.filename="applogqueue"
queue.size="1000000"
queue.type="LinkedList"
action.resumeRetryCount="-1"
action.resumeInterval="10"
action.reportSuspension="on")
}
PollingInterval: Sets how often Rsyslog checks the file (in seconds). For high-volume logs, consider lower values.
Template: Customizes log format before forwarding. RFC3339 timestamps ensure better time parsing.
Queue parameters: Essential for network reliability - buffers logs during connection issues.
For applications generating multiple log files:
input(type="imfile" File="/opt/appname/logs/access.log" Tag="appname:access") input(type="imfile" File="/opt/appname/logs/error.log" Tag="appname:error") input(type="imfile" File="/opt/appname/logs/debug.log" Tag="appname:debug")
After configuration, verify with:
rsyslogd -N1 # Validate config syntax systemctl restart rsyslog tail -f /var/log/syslog | grep appname
Check queue status with:
rsyslogd -o /var/lib/rsyslog/queue/applogqueue/stats
For high-volume applications:
- Increase
PollingIntervalto reduce CPU usage - Adjust
queue.sizebased on expected peak loads - Consider
Protocol="tcp"for reliability over UDP