Multiline Log Records in Syslog

Better Stack Team
Updated on November 18, 2024

Handling multiline log records in rsyslog can be a bit tricky, as it is designed primarily to handle single-line messages. However, you can configure rsyslog to process multiline logs by setting up specific rules in your configuration. Here’s a general approach to handle multiline log records:

  1. Define a Custom Template for Multiline Logs: You need to define a template that will handle multiline log entries correctly. This template should specify how to concatenate multiple lines into a single message.
  2. Set Up the Input Module: Configure the input module to use the template you've defined for handling multiline messages.
  3. Define Rules to Process Multiline Logs: Create rules in rsyslog to apply your template and process the multiline log messages as required.

Here’s an example configuration to get you started:

Define a Template

In /etc/rsyslog.conf or a custom configuration file under /etc/rsyslog.d/, define a template for handling multiline logs:

 
template(name="MultilineLog" type="string"
         string="%msg:1:999999%\\n")

Configure Input Module

Specify the input module and use the defined template:

 
module(load="imfile") # Load the imfile module

input(type="imfile"
      File="/path/to/your/logfile.log"
      Tag="myapp"
      Ruleset="processMultiline")

Define Ruleset to Process Multiline Logs

Create a ruleset that applies the template to process multiline messages:

 
ruleset(name="processMultiline") {
    action(type="omfile" File="/var/log/processed.log" Template="MultilineLog")
}

Example Log Handling

If your log entries start with a timestamp and are followed by multiple lines, you might need a more sophisticated approach to detect and concatenate multiline entries properly. For instance, if your logs are in a format like:

 
2024-09-16 12:00:00 INFO Starting process
Additional info line 1
Additional info line 2
2024-09-16 12:01:00 INFO Process ended

You might need to write a script or use additional tools to preprocess and concatenate these logs before they are handled by rsyslog.

Restart rsyslog

After updating the configuration, restart rsyslog to apply the changes:

 
sudo systemctl restart rsyslog

Troubleshooting

  • Ensure your log file path is correct and accessible.
  • Verify that rsyslog is not overwriting your configuration due to syntax errors or misconfigurations.
  • Check rsyslog logs for any errors related to the new configuration.

Feel free to adjust the example configuration to better fit your specific log format and requirements.

Got an article suggestion? Let us know
Explore more
Filebeat
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.