Enable log rotation in rsyslog

Question

How to enable log rotation in rsyslog configuration. The method described in the official documentation of rsyslog using output channels is not working for me.

The script given in the official documentation of rsyslog for output channel is available here: https://www.rsyslog.com/doc/master/tutorials/log_rotation_fix_size.html

module(load="imudp" TimeRequery="500")

module(load="omstdout")
module(load="omelasticsearch")

module(load="mmjsonparse")
module(load="mmutf8fix")

ruleset(name="prismaudit_rs") {
      action(type="omfile" dirCreateMode="0777" fileCreateMode="0777" file="/logs/prismaudit.log")
}

$outchannel log_rotation,/logs/prismaudit.log, 3000,/etc/log_rotation_script
*.* :omfile:$log_rotation

#input(type="imptcp" port="514")
input(type="imudp" port="514" ruleset="prismaudit_rs")

This is the snippet of code I am using. I have also tried adding the outputchannel part of code inside the ruleset(after action statement).

My log rotation script: mv -f /logs/prismaudit.log /logs/log_rotation.log.1

Answer 1

First of all, I think you misunderstood something there and should read the documentation again.

The log rotation is not working because the content you currently have in /etc/log_rotation_script should be in /etc/rsyslog.conf or /etc/rsydlog.d/filename.conf, as the configuration of rsyslog is handled in there.

The only purpose of the /etc/log_rotation_script is to move a "full" (when the limit of currently 3KB is hit) file to another file/location.

The /etc/rsyslog.conf (simplified) would then look something like the following:

# Load modules
module(load="imudp")

# Set the default permissions for all log files
module(load="builtin:omfile"
    fileOwner="root"
    fileGroup="adm"
    fileCreateMode="0777"
    dirCreateMode="0777")

# Receive logs over udp from somewhere
input(type="imudp" address="127.0.0.1" port="514")

# log everything to /logs/prismaudit.log by using the output channel
*.* :omfile:$log_rotation

# If max file size (50MB) is reached execute /path/to/log_rotation_script
$outchannel log_rotation,/logs/prismaudit.log, 52428800,/path/to/log_rotation_script

---

The script which is executed when the max file size is reached, could then just move the file:

/path/to/log_rotation_script

# move original log to (a kind of) backup log file
mv -f /logs/prismaudit.log /logs/prismaudit.log.1

Answer 2

currently I use Template feature for sort the different sources that RSyslog receives:

$template mylogs,"/disk2/syslog/%$YEAR%%$MONTH%%$DAY%/%FROMHOST-IP%.log"

with this I have my logs sorted. Like you see I use RSyslog Propierties.

Now, I want apply the rotation by size. Currently, I use logrotate but I don't like and I've found that RSyslog have the Output Channels feature.

I have read that RSyslog Propierties only can be used in Templates and Conditional Statements and then seem that the field filename of Output Channels must to be static.

Do you know if it is feasible to get the same that I have with Template with Output Channels?

thanks