To configure the rsyslog you need to edit
/etc/rsyslog.conf
The application specific configulation file can be added to
/etc/rsyslog.d/
after modifing the conf file you need to restart the rsyslog
systemctl restart rsyslog
or
systemctl restart rsyslog.service
example rt_log. conf file
##### rt_log.conf #####
#
## If you want to log every message to the log file instead of
## intelligently suppressing repeated messages, set off to
## RepeatedMsgReduction. This change requires rsyslog restart
## (eg. run 'service rsyslog restart')
#
#$RepeatedMsgReduction off
$RepeatedMsgReduction on
$ModLoad mmjsonparse
*.* :mmjsonparse:
#
## The mmcount module provides the capability to count log messages by
## severity or json property of given app-name. The count value is added
## into the log message as json property named 'mmcount'
##
## More info at http://www.rsyslog.com/doc/mmcount.html
#
#module(load="mmcount")
#action(type="mmcount" appname="glusterd" key="!gf_code") # count each value of gf_code of appname glusterd
#action(type="mmcount" appname="glusterfsd" key="!gf_code") # count each value of gf_code of appname glusterfsd
#action(type="mmcount" appname="glusterfs" key="!gf_code") # count each value of gf_code of appname glusterfs
template (name="rt_log_dynLogFile" type="string" string="/var/log/rt_log/%app-name%.log")
template(name="rt_log_template" type="list") {
# property(name="$!mmcount")
# constant(value="/")
property(name="syslogfacility-text" caseConversion="upper")
constant(value="/")
property(name="syslogseverity-text" caseConversion="upper")
constant(value=" ")
constant(value="[")
property(name="timereported" dateFormat="rfc3339")
constant(value="] ")
constant(value="[")
# property(name="$!gf_code")
constant(value="] ")
constant(value="[")
# property(name="$!gf_message")
constant(value="] ")
property(name="$!msg")
constant(value="\n")
}
if $app-name contains 'rtgate' then {
action(type="omfile"
DynaFile="rt_log_dynLogFile"
Template="rt_log_template")
stop
}
#
## send email for every 50th mmcount
#$ModLoad ommail
#if $app-name == 'glusterfsd' and $!mmcount <> 0 and $!mmcount % 50 == 0 then {
# $ActionMailSMTPServer smtp.example.com
# $ActionMailFrom rsyslog@example.com
# $ActionMailTo glusteradmin@example.com
# $template mailSubject,"50th message of gf_code=9999 on %hostname%"
# $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
# $ActionMailSubject mailSubject
# $ActionExecOnlyOnceEveryInterval 30
# :ommail:;RSYSLOG_SyslogProtocol23Format
#}
#
http://www.rsyslog.com/doc/v8-stable/configuration/filters.html
http://www.rsyslog.com/doc/master/configuration/properties.html