I am on debian 10 and I'm trying to do a very simple thing with rsyslog : I would like to redirect all logs from a particuliar docker container into a log file.
I set a tag to my docker container, and the log driver to "syslog" so now, in my journalctl I can see such lines :
Sep 25 18:34:05 XXXX my_docker[18678]: XXXXXXXX Great. Now I want to redirect those lines to a log file (the goal is to use fail2ban).
I created a new file /etc/rsyslog/mydocker.conf with the following content:
if $programname == 'my_docker' then /var/log/my_docker.log I also tried :
:programname, equals, " my_docker" /var/log/my_docker.log Then I did a simple
systemctl restart rsyslog And... Nothing ! The file is not created (even though, when I make a journalctl -t my_docker -f I can see logs spawning).
I also tried the following :
- Put the filter directly into
/etc/rsyslog.conf - Manually touch the
/var/log/my_docker.logfile with 777 mode
And nothing works !
Here is my /etc/rsyslog.conf :
# /etc/rsyslog.conf configuration file for rsyslog # # For more information install rsyslog-doc and see # /usr/share/doc/rsyslog-doc/html/configuration/index.html ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* I searched for a while, read the doc several time and I don't understand where it can go wrong in such a simple setup !
Thanks !
