Here's a 'watchfile' I have from my Archived notes.
It forwards 2 files.
Code:
### edit /etc/rsyslog.d/10-watchfile.conf
# apache error.log
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-errors:
$InputFileStateFile state_file_error_apache
$InputFileFacility local6
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10
# apache access.log
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile state_file_access_apache
$InputFileFacility local6
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'apache-access' then @xx.xx.xxx.xxx:514
& stop
if $programname == 'apache-errors' then @xx.xx.xxx.xxx:514
& stop
I abandoned this arrangement in favor of logstash-forwarder.
Hope this is useful for you.