On 10/2/18 4:39 AM, John Cooper via rsyslog wrote:
Hi, our incoming syslogs are stored in date folders on the rsyslog server. We also want some of those logs forwarding to another server. Using imfile, the "File" name will change for the next day meaning we would have to update the config each day and lose some data. Is there a better solution for this?
Use a wildcard: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html#wildcards (assuming your version of rsyslog supports them) Also set addMetadata="on" to your imfile config, then you can also parse out the date from the filename stored in $!metadata!filename We do something similar for kubernetes - see https://github.com/rsyslog/rsyslog/blob/master/contrib/mmkubernetes/sample.conf and here is the rulebase we use for parsing $!metadata!filename: https://github.com/rsyslog/rsyslog/blob/master/contrib/mmkubernetes/k8s_filename.rulebase
input(type="imfile" File="/var/log/security/2018/09/21/security.log" Tag="server01" Ruleset="writeRemoteData" ) Thanks, John. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
