0

I'm using python logging library to write to log file.

Currently It write to a static file, and contain:

myapp; 2025-06-25 05:44:38 INFO builtins <module> Hello world

I'm new to rsyslog. How to set rsyslog templates to:

  1. Extract the value of first word before first semi-colon and use it as 'key'
  2. Write to local log file with the name of key.log (i.e: myapp.log)
  3. And when writing, only start from the timestamp to the rest.

tried

template(name="debug_format" type="string" string="rawmsg=%rawmsg%, key=%$.key%, msg=%$.msg%\n")

action(type="omfile" file="/home/bino/Documents/playsyslog/debug.log" template="debug_format")

set $.key = field($rawmsg, 1, ";");
set $.key = replace($$.key, "<[0-9]+>", "");

set $.msg = field($rawmsg, 2, ";");

action(type="omfile" file="/dev/null")

But debug.log only contain

rawmsg=<190>myapp; 2025-06-25 07:40:39 INFO builtins <module> hello world 1750837239.561345, key=, msg=

empty key and msg

----------Edit------

After i make another observasion with running rsyslogd in debug mode, found that the raw msg received by rsyslog is

9319.712852011:main Q:Reg/w0  : ruleset.c: processBATCH: next msg 0: <14>KEYFIELD; 2025-07-01 00:21:59 INFO to_sock handle Hello there 1751329319.712039

So adapting the help by @meuh at https://unix.stackexchange.com/a/797500/480724 both the 'key' 'part' got

'***FIELD NOT FOUND***'
Improve this question

1 Answer 1

Reset to default
1

Actions are executed at the place they occur, so the first action should be after the set commands. The second action does nothing useful and should be removed; it does not "unset" a previous action.

The function replace() does not understand regexps, only plain substrings. There is no need for one as the property rawmsg-after-pri holds the message starting after the <190> priority.

$$ should not be used except for system properties which begin with $, e.g. $$hour.

The function field() expects the 2nd argument to be the delimiter character, and the 3rd argument to be the count, not vice versa.

A dynamic filename is specified with the option dynaFile= followed by the name of a template in double-quotes, eg:

template(name="logfile" type="string" string="/.../%$.key%")
set $.key = field($rawmsg-after-pri, ";", 1);
set $.msg = field($rawmsg, ";", 2);
action(type="omfile" dynaFile="logfile" template="debug_format")
Improve this answer
4
  • Thankyou for your help. But I wrong about the received msg by rsyslog. so I edited the question Commented Jul 1 at 0:29
  • Sorry, I forgot to correct the order of the arguments to the field() function. I've edited the answer. Commented Jul 1 at 6:18
  • it work like a charm. I really appreciate your help. Commented Jul 1 at 7:39
  • actualy, the ".msg" part got only the time stamp (msg= 2025-07-01 07), not the rest of msg Commented Jul 1 at 7:55

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.