log4j2.properties syslog is not wrking

Question

My java application problem is that log4j2 syslog is written not in 'local1.log' but 'messages'. My /etc/rsyslog.conf is configured 'local1.* /var/log/local1.log' in /etc/rsyslog.conf.

But One of weired is when I removed 'appender.syslog.layout.type' and 'appender.syslog.layout.pattern' from log4j2.properties, syslog starts being written in /var/log/local1.log correctly.

Is my configuration incorrect?

Are layout properties not applied in syslog?

[/etc/rsyslog.conf]

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local1.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

...

local1.*                                                /var/log/local1.log

[Used log4j2 library]

log4j-api-2.17.2.jar
log4j-core-2.17.2.jar

[log4j2.properties]

status = warn
name = Test

# Console appender configuration
appender.console.type = Console
appender.console.name = consoleLogger
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = %d{HH:mm:ss} %5p (%c{1} - %M:%L) - %m%n

appender.syslog.type = Syslog
appender.syslog.name = sysLogger
appender.syslog.host = localhost
appender.syslog.port = 514
appender.syslog.protocol = UDP
appender.syslog.facility = LOCAL1
appender.syslog.layout.type = PatternLayout
appender.syslog.layout.pattern = %c{1} (%M:%L) %m\n

# Root logger level
rootLogger.level = debug
rootLogger.appenderRefs = consoleLogger, sysLogger
rootLogger.appenderRef.stdout.ref = consoleLogger
rootLogger.appenderRef.syslog.ref = sysLogger

Answer 1

Log4j2's syslog layout is used to format the entire syslog message and must therefore be one of SyslogLayout (traditional BSD syslog format) or Rfc5424Layout (modern syslog layout). Using any other layout will result in invalid messages and RSyslog will have to guess the message's metadata. Most notably the facility will be set to USER.

If you want to send additional data to syslog, beyond %m, you should use the RFC5424 format and send the additional information as structured data. For example you can use (in XML format):

<Syslog name="sysLogger" host="localhost" port="514" protocol="UDP">
  <Rfc5424Layout appName="MyApp" facility="LOCAL1">
    <LoggerFields enterpriseId="32473" sdId="location">
      <KeyValuePair key="logger" value="%c" />
      <KeyValuePair key="class" value="%C" />
      <KeyValuePair key="method" value="%M" />
      <KeyValuePair key="line" value="%L" />
    </LoggerFields>
  </Rfc5424Layout>
</Syslog>

which translates to the properties format as:

appender.syslog.type = Syslog
appender.syslog.name = sysLogger
appender.syslog.host = localhost
appender.syslog.port = 514
appender.syslog.protocol = UDP
appender.syslog.layout.type = Rfc5424Layout
appender.syslog.layout.facility = LOCAL1
appender.syslog.layout.appName = MyApp
appender.syslog.layout.fields.type = LoggerFields
appender.syslog.layout.fields.enterpriseId = 32473
appender.syslog.layout.fields.sdId = location
appender.syslog.layout.fields.0.type = KeyValuePair
appender.syslog.layout.fields.0.key = logger
appender.syslog.layout.fields.0.value = %c
...

Virtually all modern syslog servers can interpret structured data. For RSyslog you need to:

1. Enable structured data parsing:

   module(load="mmpstrucdata")
   action(type="mmpstrucdata")
   

2. Create a template to format your message:

   template(name="MyAppFormat" type="list") {
       property(name="timereported" dateFormat="rfc3339")
       constant(value=" ")
       property(name="hostname")
       constant(value=" ")
       property(name="syslogtag")
       constant(value=" ")
       property(name="$!rfc5424-sd!location@32473!class")
       constant(value=" (")
       property(name="$!rfc5424-sd!location@32473!method")
       constant(value=":")
       property(name="$!rfc5424-sd!location@32473!line")
       constant(value=") ")
       property(name="msg" droplastlf="on")
       constant(value="\n")
   }
   

3. Use the template for messages coming from "MyApp":

   :app-name, isequal, "MyApp" {
       /var/log/myapp.log;MyAppFormat
       stop
   }