Rsyslog Configuration with Dynamic Log File Destination Based On Program Name

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, August 04, 2015

Follow me on Twitter as @mattiasgeniar

I wanted to create a configuration using the default rsyslog tool on RHEL/CentOS, that would dynamically store log files depending on the “program name” that performs the logs.

Disclaimer: this is not a safe configuration. Anyone can pretend to be any program on a Linux box with syslog, so you can’t trust the data 100%. But it’s a nice little separator for having multiple applications run, each with its own identity.

To create dynamic logfiles, based on the $programname variable in rsyslog, you first have to define a dynamic destination template.

~$ cat /etc/rsyslog.d/custom_logging.conf

$template CUSTOM_LOGS,"/var/log/%programname%.log"

Once you have such a dynamic template, you can begin to redirect syslogs there that match a certain pattern. In this case, I want to send every application that begins with the letter “n”, and have each application write to its own log.

~$ cat /etc/rsyslog.d/custom_logging.conf

...
if $programname startswith 'n' then ?CUSTOM_LOGS
& ~

The closing & ~ are closing tags to stop processing of further rules.

Alternatively, you can match a specific programname as well.

~$ cat /etc/rsyslog.d/custom_logging.conf

...
if $programname == 'my_custom_app' then ?CUSTOM_LOGS
& ~

To tie it all together, if you want to have dynamic logs based on the application name, make an rsyslog config that looks like this.

~$ cat /etc/rsyslog.d/custom_logging.conf

# Template the destination file
$template CUSTOM_LOGS,"/var/log/%programname%.log"

# Match anything that starts with the letter "n" and
# rewrite it to /var/log/$programname.log
if $programname startswith 'n' then ?CUSTOM_LOGS
& ~

To test the configuration, use the logger tool and pass along arguments to tag your messages. These tags are interpreted by rsyslog as the $programname variable used in the examples above.

$ logger -t n_application1 "this gets written to log 'n_application1' "
$ logger -t myapp "this gets written to log 'myapp' "

For more information on the rsyslog filtering options, have a look at the rsyslog v5 filter documentation (default on CentOS/RHEL) or the latest rsylog v8 filter documentation.

It’s mostly REGEX based.

If you want to do more advanced logging, you’re probably better of investigating tools like syslog-ng or logstash.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.