Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Wildcards with rsyslog's File Monitor imfile

19,306 views

Published on

Want to monitor log files with rsyslog and use wildcards to monitor a large file set? This presentation shows you how to do that.

Published in: Technology
  • In your example you define a ruleset for infiles, but I do not see you assigning that to the input, is that no longer needed with version 8 ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Using Wildcards with rsyslog's File Monitor imfile

  1. 1. Using Wildcards with rsyslog’s File Monitor Rainer Gerhards, rsyslog project lead
  2. 2. Prerequisites ● kernel with inotify support ● at least rsyslog v8.5.0 ● if not available in your distro o use rsyslog package repository (recommended) o build from source ● imfile module (usually in base package)
  3. 3. State Files ● rsyslog needs to know how much of a file it already processed ● upon shutdown a “state file” is created with this information ● stored in rsyslog work directory ● let rsyslog generate the state file name automatically!
  4. 4. Restrictions ● wildcards are support at the file level, not at the directory level o /var/log/applog*.log is valid o /var/applog*/logfile.log is invalid ● subdirectories that match the wildcard are not processed o if /var/log/applog-dir.log is a directory, it will not be processed ● wildcards do not work in polling mode
  5. 5. Base Config Sample global(workDirectory=”/home/rsyslog/spool”)m odule(load=”imfile”) input(type=”imfile” tag=”applog” file=”/var/log/applog*.log”)
  6. 6. Sample: Remote Forwarding global(workDirectory=”/home/rsyslog/spool”) module(load=”imfile”) ruleset(name="infiles") { action(type="omfwd” target=”server.example.net” protocol=”tcp” port=”10514” ) } input(type=”imfile” tag=”applog” file=”/var/log/applog*.log”)
  7. 7. Notes on Remote Forwarding Conf ● forwarding happens totally independent from rest of logging configuration due to use of ruleset ● module() statement must occur only once ● workDirectory o is used for all rsyslog work and state files o must be set only once (usually at top of top level rsyslog.conf)

×