Support | Forums | Apps | Logscape.com

Stream your Data/ Syslog/ Watching a file

Watch a file with IMFile

Using the IMFile module for syslog, it's possible to watch a file and send any updates to a remote host via syslog, on this page you'll be guided through including IMFile in your Rsyslog installation.

Step 1) Open your rsyslog.conf

The rsyslog.conf file can be found in the /etc/ directory, once open the file will look something like

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf
 
 
#################
#### MODULES ####
#################
 
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
 
 
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability
 
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
 
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
 
 
###########################
#### GLOBAL DIRECTIVES ####
###########################
 
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
# Filter duplicated messages
$RepeatedMsgReduction on
 
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
 
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
 
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

The line we are interested in, is 

$ModLoad imfile

imfile is the module that allows us to monitor a file for changes, once important can we monitor a file with the following lines

| $InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

Then the data data can be routed to the cloud as normal.

	| template CloudApache,"LOGSCAPETOKEN:YOUR_SECURITY_TOKEN_HERE LOGSCAPETAG:apache <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%"
*.* @@lscape1.logscape.com:1468;CloudApache
 
if $programname == 'apache-access' then @@collector.logscape.com:1468;CloudApache
if $programname == 'apache-access' then ~
if $programname == 'apache-error' then @@collector.logscape.com;CloudApache
if $programname == 'apache-error' then ~