rsyslog issue - use of wildcard - unable to get logs on rsyslog server


I’m currently working on a rsyslog project.

I’m experiencing some issues about rsyslog for quite a long time, and I come here hoping to find some help about this.

So, here is my goal :

  • Send over network specific logs (generated by a home-made application) from a client to a rsyslog server (that will centralize logs)
  • Log files are initially created like this : monlog_yymmdd.log (so today : monlog_190726.log)
  • To keep the same initial name at the remote end if possible.
  • To centralize several logs (7 for instance) and then use log rotation.
           - This will induce the use of wildcard in log configuration -> Here is the issue.

I’m using rsyslog version 8.24.0

First of all, I tried a configuration with one simple log file to send with use of legacy format, and it worked.
Now, still using legacy format, the use of wildcard give random results… not satisfying at all.

So, I tried the new format to write my configuration :

->  I didn’t get anything in my rsyslog server.

Here is my client configuration :

client configuration

module(load=“imfile” mode=“inotify”)


ruleset(name=“monlog”) {
set $.suffix=re_extract($!metadata!filename, “(.*)/([^/]*[^/.log])”, 0, 2, “all.log”);
call sendToLogserver

input(type=“imfile” File="/home/trs/log/monlog_*.log" Tag=“monlog__” Ruleset=“monlog” addMetadata=“on” Facility=“local3”)

template(name=“ForwardFormat” type=“string” string="%msg:::drop-last-lf%\n")

ruleset(name=“sendToLogserver”) {
action(type=“omfwd” Target=“VM-xxx” Port=“514” Protocol=“udp” Template=“ForwardFormat”)

end of the forwarding rule

Here is my rsyslog server configuration :


template(name=“Deposit” type=“string” string="/var/log/%FROMHOST%/%PROGRAMNAME%.log")

input(type=“imudp” port=“514” ruleset=“RemoteLogProcess”)

ruleset(name=“RemoteLogProcess”) {
     if ($syslogfacility == ‘local3’) then
      set $.logpath=replace($programname,“monlog__”, “”);
      action(type=“omfile” dynaFile=“Deposit”)

end of the forwarding rule

The configuration check ‘rsyslogd -N 1’ is ok by the way.

At first sight, what can you notice that could not work ?

Also, I’m not sure to understand what to associate to $!metadata!filename as regex.
My first doubts are about this metadata regex… maybe it’s just this… the log file on the rsyslog server should have the same name as initially.

Thanks for your help and time, because I tried many different configurations in new format, and none worked…