Using Wildcards with rsyslog’s File MonitorRainer Gerhards, rsyslog project lead

Prerequisites

● kernel with inotify support● at least rsyslog v8.5.0● if not available in your distro

o use rsyslog package repository (recommended)o build from source

● imfile module (usually in base package)

State Files

● rsyslog needs to know how much of a file it already processed

● upon shutdown a “state file” is created with this information

● stored in rsyslog work directory● let rsyslog generate the state file name

automatically!

Restrictions

● wildcards are support at the file level, not at the directory levelo /var/log/applog*.log is valido /var/applog*/logfile.log is invalid

● subdirectories that match the wildcard are not processedo if /var/log/applog-dir.log is a directory, it will not be

processed● wildcards do not work in polling mode

Base Config Sample

global(workDirectory=”/home/rsyslog/spool”)module(load=”imfile”)

input(type=”imfile” tag=”applog” file=”/var/log/applog*.log”)

Sample: Remote Forwarding

global(workDirectory=”/home/rsyslog/spool”)module(load=”imfile”)ruleset(name="infiles") { action(type="omfwd” target=”server.example.net” protocol=”tcp” port=”10514” )}input(type=”imfile” tag=”applog” file=”/var/log/applog*.log”)

Notes on Remote Forwarding Conf

● forwarding happens totally independent from rest of logging configuration due to use of ruleset

● module() statement must occur only once● workDirectory

o is used for all rsyslog work and state fileso must be set only once (usually at top of top level

rsyslog.conf)