Forwarding logs in nested directories with rsyslog

Question

I have log forwarding set up using rsyslog and imfile. How could I go about watching nested log files?

Right now I'm using wildcards to watch all files matching log/*.log, but I have logs nested 1 level deep that I need to forward as well: log/EventXXX/*.log.

Unfortunately, I cannot change this directory structure, and new log/Event/ directories crop up over time. I know that unfortunately imfile currently does not support wildcards on a directory-level (only on a file-level).

try using soft links: log/file1.log --> log/EventXXX/file1.log — Michael Martinez, Jan 15 '15 at 22:58

score 0 · Answer 1 · answered Jan 15 '15 at 23:31

You could write a script to scan for new sub-directories, adding any new ones to your rsyslog configuration, which can be run periodically via cron.

You would likely want to add new configuration directives to a new file under /etc/rsyslog.d/ to help mitigate risk of something going wrong and borking up your syslog configuration completely. Perhaps not for the faint of heart though. ;)

Otherwise there is no good option to automatically recognize new sub-directories as you have already found. Some sort of manual intervention will be required.

This is probably the route I would have gone, had I stuck with rsyslog. Wish I could vote up but I need 15 reputation to do that :/ — dsomach, Jan 23 '15 at 17:20

score 0 · Answer 2 · answered Jan 23 '15 at 17:19

0

I ended up going with Logstash and Logstash-forwarder for this project. Logstash-forwarder supports wildcards on a directory-level, requiring no manual intervention.

answered Jan 23 '15 at 17:19

dsomach

21
3

Forwarding logs in nested directories with rsyslog

2 Answers2