Search code examples
rsyslog

How to use startmsg.regex in Rsyslog

The following is my conf file. I want to add config for startmsg.regex.

I added the following line in my config file

  startmsg.regex="^[[:digit:]]{4}\/[[:digit:]]{2}\/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}"



ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup proxy
$WorkDirectory /var/spool/rsyslog


$InputFileName /var/log/app/cache.log
$InputFileTag app-error:
$InputFileStateFile stat-app-error
$InputFileSeverity error
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

  startmsg.regex="^[[:digit:]]{4}\/[[:digit:]]{2}\/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}"





$template AppError,"error %msg%\n"

if $programname == 'app-error' then @@0.0.0.0:12345;AppError
if $programname == 'app-error' then ~

And when I check my config file using rsyslogd -N1, I am getting error. What is the correct way to use this feature ?

Solution

  • Following is my conf file which I am using to send my logs via rsyslog. I am also adding sample logs.

    This configuration will match that each event starts with YYYY/MM/DD HH:MM:SS and then send to my TCP endpoint. This configuration can be used with multi line logs

    module(load="imfile" PollingInterval="10") #needs to be done just once
# File 1
input(type="imfile"
  File="/var/log/app/my.log"
  Tag="app-error"
  Severity="error"
  startmsg.regex="^[[:digit:]]{4}/[[:digit:]]{2}/[[:digit:]]{2} [[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}"
)


$PrivDropToGroup proxy
$WorkDirectory /var/spool/rsyslog


$template AppError,"error %msg%\n"

if $programname == 'app-error' then @@0.0.0.0:12345;AppError
if $programname == 'app-error' then ~

    Sample Log :

    2017/10/24 09:14:06 id1|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.052 seconds = 0.032 user + 0.020 sys
Maximum Resident Size: 104944 KB
Page faults with physical i/o: 0
2017/10/24 09:14:06 id1| found error

    Now rsyslog will send my multi line logs as a single event to my tcp end point as follows :

    2017/10/24 09:14:06 id1|   Took 0.00 seconds (  0.00 entries/sec). \nCPU Usage: 0.052 seconds = 0.032 user + 0.020 sys \nMaximum Resident Size: 104944 KB \nPage faults with physical i/o: 0
2017/10/24 09:14:06 id1| found error