How do you setup rsyslog to filter heroku logs sent via a drain?

Question

I would like to send my heroku logs to a remote linux machine and having them filtered into their own separate file in /var/log/

On the heroku side I issued this command:

heroku drains:add syslog://my_linux_ip:514

On my ubuntu machine I edited /etc/rsyslog.conf and uncommented these lines:

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Now I will see heroku log output in /var/log/messages

It is tagged with the hostname d.d423cb4b.......

How do I get all of the heroku messages to be collected in /var/log/heroku?

Answer 1

you can use these enteries to fliter their logs on basis of dynos

dyno ID--d.2a2f9970-dc14-43d8-b893-26a70293c437

hostname, contains, "d.2a2f9970-dc14-43d8-b893-26a70293c437" /var/log/heroku/appname/appname_all.log
if ($hostname contains 'd.2a2f9970-dc14-43d8-b893-26a70293c437' and $syslogtag contains 'heroku[web.1]') then /var/log/heroku/appname/appname_Memory_cpu_dyno1.log
if ($hostname contains 'd.2a2f9970-dc14-43d8-b893-26a70293c437' and $syslogtag contains 'heroku[web.2]') then /var/log/heroku/appname/appname_Memory_cpu_dyno2.log
if ($hostname contains 'd.2a2f9970-dc14-43d8-b893-26a70293c437' and $syslogtag contains 'heroku[web.3]') then /var/log/heroku/appname/appname_Memory_cpu_dyno3.log
if ($hostname contains 'd.2a2f9970-dc14-43d8-b893-26a70293c437' and $syslogtag contains 'heroku[web.4]') then /var/log/heroku/appname/appname_Memory_cpu_dyno4.log
if ($hostname contains 'd.2a2f9970-dc14-43d8-b893-26a70293c437' and $syslogtag contains 'heroku[router]') then /var/log/heroku/appname/router_appname.log

Answer 2

Simply add this line to your rsyslog.conf

if $hostname startswith 'd.d423cb4b' then /var/log/heroku
& ~

Obviously you need to match d.d423cb4b with the actual hostname you observed in your own logs.

The & ~ line instructs rsyslog to not duplicate this output in any other log. So, you should see your output in /var/log/heroku and nowhere else.