How to Create a Customized Log Format with Rsyslog

Logging is a critical aspect of system administration, helping you keep track of events, diagnose issues, and maintain security. While default logging formats in Rsyslog are functional, there are times when you need a custom format to meet specific requirements. In this blog, we'll walk you through the steps to create a customized log format using Rsyslog, focusing on how to prepend the year to each log entry.

By default, Rsyslog logs include a timestamp, but it typically omits the year, making it difficult to track events over extended periods. For instance, a log entry might look like this:

Before:

Aug 28 04:49:01 localhost saslauthd[247142]: PAM unable to resolve symbol: pam_sm_setcred

This format is fine for day-to-day monitoring, but if you're reviewing logs from past years or archiving logs for compliance, having the year included in each entry becomes essential.

With a simple customization, you can modify the log format to include the year, providing a clearer and more detailed record:

After:

2024 Aug 28 04:49:01 localhost saslauthd[247142]: PAM unable to resolve symbol: pam_sm_setcred

Now, let's dive into the steps to achieve this.

The first step in customizing your log format is to define a new template in your Rsyslog configuration file. This template specifies exactly how each log entry should be formatted.

Here's the template we'll use:

$template CustomTemplate,"%$YEAR% %timegenerated% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

Breaking Down the Template:

• $template CustomTemplate, "...": This line defines a new template named CustomTemplate.

• %$YEAR%: Inserts the four-digit year (e.g., 2024).

• %timegenerated%: Inserts the timestamp when the log entry was generated, including the month, day, and time (e.g., Aug 28 04:49:01).

• %HOSTNAME%: Inserts the hostname of the system where the log was generated (e.g., localhost).

• %syslogtag%: Inserts the tag associated with the syslog message, usually indicating the source of the log (e.g., saslauthd[247142]:).

• %msg:::sp-if-no-1st-sp%: Inserts the actual log message, ensuring that there are no unnecessary leading spaces.

• %msg:::drop-last-lf%: Removes any trailing line feed characters from the message, preventing extra blank lines in your logs.

• \n: Adds a newline character to ensure each log entry starts on a new line.

Once you've defined your custom template, you need to tell Rsyslog to use it when writing log messages to files. This is done with the ActionFileDefaultTemplate directive:

$ActionFileDefaultTemplate CustomTemplate

Explanation:

• $ActionFileDefaultTemplate CustomTemplate: This line tells Rsyslog to apply the CustomTemplate to all log files by default. From now on, every log entry written to a file will follow the format specified in CustomTemplate.

After making these changes to your Rsyslog configuration, you'll need to reload the Rsyslog service for the changes to take effect. You can do this with the following command:

[root@siddhesh ~]# systemctl restart rsyslog
[root@siddhesh ~]#

To ensure that your customization is working correctly, check your log files (typically located in /var/log/). Open one of the logs and verify that the entries now include the year at the beginning of each line.

For example:

2024 Aug 28 04:49:01 localhost saslauthd[247142]: PAM unable to resolve symbol: pam_sm_setcred

Customizing your log format in Rsyslog is a straightforward process that can significantly improve the readability and usefulness of your logs. By including the year in your log entries, you make it easier to track long-term trends, troubleshoot issues, and maintain better records.