export-to-rsyslog — export cyclog logs to a remote log stash using the RSYSLOG protocol


export-to-rsyslog {directory}


export-to-rsyslog is a variation on the follow-log-directories(1) command. It operates as that command does, with the aid of the cursors in directory, except that instead of writing log lines to its standard output it sends them across the network to an RSYSLOG server.

It expects to inherit an open file descriptor, for writing each log line that it reads from a log, that is a client of the RSYSLOG server. This is file descriptor 7 per the UCSPI convention for client tools.

It expects the file descriptor to be open for writing to a datagram or message socket or device. If it is a socket, it must be already connected so that the write(2) system call works correctly.

export-to-rsyslog converts log lines that it has read into RFC 5424 form and then writes them to the server. It strips trailing newlines from each log line, converts initial TAI64N timestamps, and employs the value of the TCPLOCALHOST environment variable (or whatever similar environment variable is denoted by PROTO) and the name of the cursor directory in the HOSTNAME and APP-NAME fields. It writes each log line with a single system call in order to mark the message boundaries between log lines.

RFC 3164 form is ambiguous and extremely lossy and is not supported. RFC 5424 form is still lossy, but not quite as much since it permits full years and only loses microsecond and nanosecond information.

export-to-rsyslog treats TAI64N timestamps correctly. On a Linux system where it detects an Olson "right" timezone currently in use, it knows that the system clock is TAI seconds since the Epoch and performs a simple conversion to determine system clock time. On other Linux systems, and on BSDs, it assumes that the system clock is UTC seconds since the Epoch and attempts to correct for (known) UTC leap seconds in order to determine UTC system clock time.


Jonathan de Boyne Pollard