There are a lot more robust centralized logging solutions out there but during a recent hack day I had about an hour to get logs from 24 servers to a centralized one for processing.
First you will need to get centralized logging set up, I won’t go into that here as that step is well documented but a quick view is to:
1. Configure the server to listen on udp.
2. add this line to the bottom of the rsyslog.conf file
Okay so your servers are sending its system logs to a centralized host, now the fun part.
First you will need to create a config file for the log and place it in the /etc/rsyslog.d directory.
In my case I am going to ship a log named event.log
$InputFileName /srv/whi/shared/log/event.log $InputFileTag eventlog $InputFileStateFile eventlog $InputRunFileMonitor $InputFilePersistStateInterval 10 *.* @$IP__ADDRESS:514
Now add a config to the server to write the log to its own file.
$template ProxiesTemplate,"%msg%\n" if $programname == 'eventlog' and $msg contains 'viewed.entr' then /var/log/eventlog.log;ProxiesTemplate
In the first line above I am stripping the log or the timestamp and the hostname, I am only interested in the body .
The second line I am matching the program name and a particular string in the body of the message and writing them to a specific log file.
The last thing you need to do it put in a an exception to the current messages and syslog file otherwise these custom logs will also end up there.
In ubuntu I had to edit the file /etc/rsyslog.d/50-default.conf
I basically had to add this string “event.none” to the lines for syslog and messages
*.*;auth,authpriv.none,event.none -/var/log/syslog *.=info;*.=notice;*.=warn;auth,authpriv.none;cron,daemon.none;mail,news.none,event.none -/var/log/messages
Thats basically it, enjoy.