Skip to content

How to configure Linux server to read custom log files with rsyslog

To read custom log files with rsyslog from Linux server, the following prerequisits must be met:

1.Login as root on the linux server

2.Edit the file /etc/rsyslog.conf (ex: nano /etc/rsyslog.conf), and add to the body the following lines:

Module (imfile) that enables rsyslog to convert any standard text file into a syslog message.

 $ModLoad imfile

 $InputFileName        /path/to/file
 $InputFileTag         tag:
 $InputFileStateFile   /path/to/state/file
 $InputFileSeverity    severity
 $InputFileFacility    facility
 $InputRunFileMonitor

The settings that are required to specify an input textfile:

  • replace /path/to/file with a file that you want to be monitored;
  • replace tag: with the tag name for the message. You can make a parsing rule based on this tag in CYBERQUEST web interface (the tag will be preceded by "CQ" prefix)
  • replace *** /path/to/state/file*** with a unique name for the state file. Make sure that you specify a name that does not already exist.
  • the syslog severity to be assigned to lines read. Can be specified in textual form (e.g. “info”, “warning”, "error",...). By default is “notice”.

  • the syslog facility to be assigned to lines read. Can be specified in textual form (e.g. local0 – local7). By default is local0.

  • "$InputRunFileMonitor" - this activates the current monitor. It has no parameters and if you forget this directive, the text file will be ignored.

3.Restarting rsyslog

systemctl restart rsyslog.service