[SOLVED] How can I make rsyslog to see only today's log file?
by james000 from LinuxQuestions.org on (#6F07M)
Hello,
I am setting up rsyslog config on Centos 7. Everyday new file will be created in apps log path, with date suffix (for example - 20230922 for today). I want that if rsyslog see IMPAIRMENT string in today's log file, then it should forward that log line to 172.30.66.18. Below is the config I will setup. But problem is file name. Everyday filename will be changed and then rsyslog won't be able to read today's file. For example, today the file is sendSyslogActionAlert_20230922.log and tomorrow there will be new file sendSyslogActionAlert_20230923.log.
Is there any way, I can put the file name in below config, so rsyslog can see only today's file? I am trying different combinations of +%Y%m%, but it seems I can't get right syntax and make it work.
Code:[root@splunk-serv ~]# cat /var/tmp/impair.conf
module(load="imfile" PollingInterval="10")
input(type="imfile"
File="/export/home/splunk/logs/sendSyslogActionAlert_20230922.log"
Tag="splunk_logs"
StateFile="splunk_logs.state"
reopenOnTruncate="on")
if $syslogtag == "splunk_logs" and $msg contains "IMPAIRMENT" then @172.30.66.18:514
[root@splunk-serv ~]#Thanks
I am setting up rsyslog config on Centos 7. Everyday new file will be created in apps log path, with date suffix (for example - 20230922 for today). I want that if rsyslog see IMPAIRMENT string in today's log file, then it should forward that log line to 172.30.66.18. Below is the config I will setup. But problem is file name. Everyday filename will be changed and then rsyslog won't be able to read today's file. For example, today the file is sendSyslogActionAlert_20230922.log and tomorrow there will be new file sendSyslogActionAlert_20230923.log.
Is there any way, I can put the file name in below config, so rsyslog can see only today's file? I am trying different combinations of +%Y%m%, but it seems I can't get right syntax and make it work.
Code:[root@splunk-serv ~]# cat /var/tmp/impair.conf
module(load="imfile" PollingInterval="10")
input(type="imfile"
File="/export/home/splunk/logs/sendSyslogActionAlert_20230922.log"
Tag="splunk_logs"
StateFile="splunk_logs.state"
reopenOnTruncate="on")
if $syslogtag == "splunk_logs" and $msg contains "IMPAIRMENT" then @172.30.66.18:514
[root@splunk-serv ~]#Thanks