Export logs using Rsyslog in various formats

Question

I am trying to export kernel logs (/var/log/messages) to remote Syslog servers using rsyslog.

I am required to export in various standard formats like RFC3339, RFC3164, and RFC5424. Can someone please tell me how to solve this issue? I believe this attribute needs to be used:

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Answer 1

RFC 3339 is a standard for representing date and time, not a logging standard like RFC 3164 or RFC 5424. While RFC 3164 uses a simpler, less precise timestamp format, RFC 5424 adopts RFC 3339 to ensure accurate and consistent time representation.

$ActionFileDefaultTemplate sets a global default template, but it is only applied when writing logs to files.

To capture kernel logs, the imklog module can be used. By default, rsyslog uses the RFC 3164 format, so logs will be sent in this format unless another template is specified. However, if you want to define it for clarity, you can explicitly set the template RSYSLOG_TraditionalFileFormat for RFC 3164. To forward logs in RFC 5424 format, the template RSYSLOG_SyslogProtocol23Format can be used.

See Reserved Template Names for more information on all the built-in templates.

module(load="imklog")         # Kernel logging
module(load="builtin:omfwd")  # Log forwarding

# Forward logs in RFC 3164 format
if $syslogfacility-text == 'kern' then {
    action(type="omfwd" target="192.168.1.10" port="514"
        protocol="tcp" template="RSYSLOG_TraditionalFileFormat")
}

# Forward logs in RFC 5424 format
if $syslogfacility-text == 'kern' then {
    action(type="omfwd" target="192.168.1.20" port="514"
        protocol="tcp" template="RSYSLOG_SyslogProtocol23Format")
}