[SOLVED] How can I make rsyslog to see only today's log file?

james000 · 09-22-2023, 01:32 PM

Hello,
I am setting up rsyslog config on Centos 7. Everyday new file will be created in apps log path, with date suffix (for example - 20230922 for today). I want that if rsyslog see IMPAIRMENT string in today's log file, then it should forward that log line to 172.30.66.18. Below is the config I will setup. But problem is file name. Everyday filename will be changed and then rsyslog won't be able to read today's file. For example, today the file is sendSyslogActionAlert_20230922.log and tomorrow there will be new file sendSyslogActionAlert_20230923.log.
Is there any way, I can put the file name in below config, so rsyslog can see only today's file? I am trying different combinations of +%Y%m%, but it seems I can't get right syntax and make it work.

Code:

[root@splunk-serv ~]# cat /var/tmp/impair.conf
module(load="imfile" PollingInterval="10")

input(type="imfile"
      File="/export/home/splunk/logs/sendSyslogActionAlert_20230922.log"
      Tag="splunk_logs"
      StateFile="splunk_logs.state"
      reopenOnTruncate="on")

if $syslogtag == "splunk_logs" and $msg contains "IMPAIRMENT" then @172.30.66.18:514
[root@splunk-serv ~]#

Thanks

boughtonp · 09-22-2023, 03:15 PM

Simpler solution is to create the log as "whatever.log" (no timestamp) and use logrotate to create the daily archives, (using dateext/dateformat/dateyesterday directives as needed).