I want to send logs to a remote syslog server. I configured the basic settings to send everything, and sure enough, logs started flowing.
Then I got fancy and needed to send a custom file as a log that was not default configured to be watched by syslog. I used the imfile module in rsyslog. Here is the config:
root@vyos:/pihole/var-log-pihole# cat /etc/rsyslog.d/10-pihole.conf
# File 1
input(type="imfile" File="/pihole/var-log-pihole/pihole.log"
Tag="pihole"
Severity="info"
Facility="local2")
The first time I executed “systemctl restart rsyslog”, nothing happened on the remote end. After a few minutes of lines being written to the file, I issued restart again.
Boom. Logs flowed in. In fact, all of the logs that had come in since the first restart up until the second restart. Basically the logs had been cached by rsyslog but not sent across until a second restart.
And that’s where I sit. Nothing flows automatically. Every time I restart rsyslog, whatever cache is stored is flushed to the remote server. All at once. And then nothing is sent again until the next restart.
All other logs that are a part of rsyslog by default flow in to the remote server as they happen
Has anyone ever seen this?
As a side note, I installed fluent-bit to see if I could just use that, and fluent-bit never sends logs to my remote collector. Exact same config as on other debian instances I have that work.