LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How can I make rsyslog to see only today's log file? (https://www.linuxquestions.org/questions/linux-newbie-8/how-can-i-make-rsyslog-to-see-only-todays-log-file-4175729199/)

james000 09-22-2023 01:32 PM
How can I make rsyslog to see only today's log file?
 
Hello,
I am setting up rsyslog config on Centos 7. Everyday new file will be created in apps log path, with date suffix (for example - 20230922 for today). I want that if rsyslog see IMPAIRMENT string in today's log file, then it should forward that log line to 172.30.66.18. Below is the config I will setup. But problem is file name. Everyday filename will be changed and then rsyslog won't be able to read today's file. For example, today the file is sendSyslogActionAlert_20230922.log and tomorrow there will be new file sendSyslogActionAlert_20230923.log.
Is there any way, I can put the file name in below config, so rsyslog can see only today's file? I am trying different combinations of +%Y%m%, but it seems I can't get right syntax and make it work.
Code:
[root@splunk-serv ~]# cat /var/tmp/impair.conf
module(load="imfile" PollingInterval="10")

input(type="imfile"
      File="/export/home/splunk/logs/sendSyslogActionAlert_20230922.log"
      Tag="splunk_logs"
      StateFile="splunk_logs.state"
      reopenOnTruncate="on")

if $syslogtag == "splunk_logs" and $msg contains "IMPAIRMENT" then @172.30.66.18:514
[root@splunk-serv ~]#
Thanks

boughtonp 09-22-2023 03:15 PM

 
Simpler solution is to create the log as "whatever.log" (no timestamp) and use logrotate to create the daily archives, (using dateext/dateformat/dateyesterday directives as needed).


All times are GMT -5. The time now is 06:49 AM.