Using Syslog with Foreman

Foreman does not natively support syslog, but you can use the 'imfile' module for Rsyslog to forward the production log from the Foreman server to your centralized log server.
If you're running Debian or RHEL >= 6 you already have Rsyslog and imfile so you're good to go.

Begin by configuring Rsyslog, either add the snippet below straight to rsyslog.conf or make sure rsyslog.conf has a statement like this: '$IncludeConfig /etc/rsyslog.d/*.conf' and add the snippet to f.ex '/etc/rsyslog.d/foreman.conf'.

$ModLoad imfile
$InputFileName /var/log/foreman/production.log
$InputFileTag foreman
$InputFileStateFile rsyslog-foreman-state
$InputFileSeverity info
$InputFileFacility local1
$InputRunFileMonitor @your.syslog.server

Change the specifics according to your needs. One @-symbol before the server name signifies a UDP transport and two @-symbols means TCP transport.

You're now nearly ready to go, when you restart rsyslog it will begin tracking the production.log and forwarding it to your syslog server, however you will need to configure logrotate as well.
Edit the file '/etc/logrotate.d/foreman' and add a post-rotate statement like so:

# Foreman logs:
/var/log/foreman/*.log {
  rotate 14
  # The post-rotate statment begins on the line below...
    service rsyslog stop
    rm /var/spool/rsyslog/rsyslog-foreman-state
    service rsyslog start
  # ...and end here.

This is due to the 'copytruncate' statement, this causes logrotate to do pretty much what it says, copy the log file and then truncate it in place, which means rsyslog will not notice the rotation since the inode number doesn't change, thus you will lose the forwarding as soon as a rotation takes place.

You should be all set by now.

Updated by Johan Sunnerstig over 9 years ago · 5 revisions