Write to and manage syslog messages with logger and rsyslog

Syslog is the target where you want all log message to go on all systems that you manage. Almost all Linux distributions use a syslog implementation to gather messages. Recently, rsyslog became the most used syslog-implementation for Linux. Messages can be saved locally or sent to a remote syslog server. When creating your own applications or tools or when you want to log messages coming from processes that don’t support writing to syslog directly, you can use Logger.

Logger is a small and easy to use tool. It allows you to forward messages that come on stdout or stderr to syslog and that’s it. The messages can be tagged and/or contain the pid of the application writing the message. By only forwarding the messages to syslog, they will probably end up in /var/log/messages which could be fine for what you want to do. I’ll also explain how to define rules for rsyslog to move the message to a separate file.

On CentOS and Debian, logger, rsyslog and logrotate are a standard part of the minimal install so in most cases those packages don’t need to be installed. The commands used in this post should be completely interchangeable between most distributions.

Basic usage of logger

Using logger is quite simple. In the most simple form, you can write a message to syslog as follows:

[jensd@node01 ~]$ logger testmessage
[jensd@node01 ~]$ sudo tail -1 /var/log/messages
Dec  2 21:19:09 node01 jensd: testmessage

When we want to provide a little more information:

[jensd@node01 ~]$ logger -i -t testid testmessage
[jensd@node01 ~]$ sudo tail -1 /var/log/messages
Dec  2 21:19:55 node01 testid[2401]: testmessage

Putting the messages in a separate logfile

As you can see in the previous examples, the message which we sent to syslog went to file /var/log/messages. On most distributions, uncategorized messages end up in /var/log/messages or /var/log/syslog. The target where a message is written to isĀ configured in /etc/rsyslog.conf. It is possible to send specific messages to a specific file or even a remote syslog-server.

To send messages that have the testid identifier to a file /var/log/testlog, we need to add the following to /etc/rsyslog.conf

#### RULES ####
$template testlog, "/var/log/testlog"
if $programname contains 'testid' then ?testlog
& ~
  • Line 1: the starting point of the specific rules in the configuration file, it’s there by default on most distributions.
  • Line 2: definition of a template for the file, it can also contain variables like %HOSTNAME% or %programname%
  • Line 3: the condition for a message to be sent to the file define in the template
  • Line 4: prevents messages that matched the condition on line 3 to be processed further. Without this line, the message will end up in /var/log/testlog and in /var/log/messages.

After changing the configuration file /etc/rsyslog.conf, we need to restart rsyslog for the changes to take effect:

[jensd@node01 ~]$ sudo vi /etc/rsyslog.conf
[jensd@node01 ~]$ sudo systemctl restart rsyslog
[jensd@node01 ~]$ logger -i -t testid testmessage
[jensd@node01 ~]$ tail /var/log/testlog
Dec  2 21:28:14 cen testid[2453]: testmessage
[jensd@node01 ~]$ ls -l /var/log/testlog
-rw-r--r--. 1 root root 46 Dec  2 21:28 /var/log/testlog

As you can see, after resending our testmessage, the message ended up in /var/log/testlog as we defined in the configuration file of rsyslog.

As you can also see in the above output, the file got created and is owned by root which can be annoying when other processes also need to write to the logfile or it needs to be cleared by another process, not running as root. To let the file be created and owned by another user or group, we can change the configuration in /etc/rsyslog.conf to include the following:

#### RULES ####
$FileOwner jensd
$FileCreateMode 0660
$FileGroup jensd
$template testlog, "/var/log/testlog"
if $programname contains 'testid' then ?testlog
& ~
$FileOwner root
$FileCreateMode 0644
$FileGroup root

After the rules specific for our logfile, it’s important to set the owner/group and permissions back to their defaults to not break other log-operations.

After restarting rsyslog, you can see that the owner changed as we requested.

[jensd@node01 ~]$ sudo vi /etc/rsyslog.conf
[jensd@node01 ~]$ sudo rm /var/log/testlog
[jensd@node01 ~]$ sudo systemctl restart rsyslog
[jensd@node01 ~]$ logger -i -t testid testmessage
[jensd@node01 ~]$ tail /var/log/testlog
Dec  2 21:37:53 cen testid[2482]: testmessage
[jensd@node01 ~]$ ls -l /var/log/testlog
-rw-r-----. 1 jensd jensd 46 Dec  2 21:37 /var/log/testlog

Logger also accepts stdin as a source of the message to write to the log, so it’s a small but powerful tool to log messages to syslog from processes that do not support that functionality directly.

[jensd@node01 ~]$ echo "message2"|logger -i -t testid
[jensd@node01 ~]$ tail /var/log/testlog
Dec  2 21:37:53 cen testid[2482]: testmessage
Dec  2 21:43:26 cen testid[2487]: message2

This time, I managed to write a small post, hopefully it can help you in unifying and bundling log messages for any possible script or process.

1 thought on “Write to and manage syslog messages with logger and rsyslog

Leave a Reply

Your email address will not be published. Required fields are marked *