# create a conf file (/etc/rsyslog.d/10-mylog.conf) as follows# then restart rs

1. # create a conf file (/etc/rsyslog.d/10-mylog.conf) as follows
2. # then restart rsyslog: sudo /etc/init.d/rsyslog restart
3. # in this example, i search log entries for the word "sda"
4. # and log in text format in /var/log/hdt.log and in json in /var/log/hdj.log
5.  
6. module(load="mmjsonparse")
7.  
8. template(name="json-template"
9. type="list") {
10. constant(value="{")
11. constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
12. constant(value="\",\"@version\":\"1")
13. constant(value="\",\"message\":\"") property(name="msg" format="json")
14. constant(value="\",\"sysloghost\":\"") property(name="hostname")
15. constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
16. constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
17. constant(value="\",\"programname\":\"") property(name="programname")
18. constant(value="\",\"procid\":\"") property(name="procid")
19. constant(value="\"}\n")
20. }
21.  
22. :msg, contains, "sda" -/var/log/hdt.log
23. :msg, contains, "sda" -/var/log/hdj.log;json-template