We were able to successfully ingest logs to our target sumo need one quick help if we want to ingest more than one log of same name how we can ingest * doesn't work I have tried below is log snippet which we need to ingest
-rw-rw-r-- 1 imps imps 104858301 Mar 19 17:36 etatrans20190319-0001.log
-rw-rw-r-- 1 imps imps 2020668 Mar 19 23:38 etanotify20190319-0242.log
-rw-rw-r-- 1 imps imps 34248754 Mar 19 23:56 etatrans20190319-1736.log
-rw-rw-r-- 1 imps imps 104857613 Mar 20 17:28 etatrans20190320-0001.log
-rw-rw-r-- 1 imps imps 1832944 Mar 20 23:42 etanotify20190320-0300.log
-rw-rw-r-- 1 imps imps 33218805 Mar 20 23:56 etatrans20190320-1728.log
This is how I am ingesting in rsyslog
Notes from broadcom engineering:
From what i have tested internally, we need latest version of rsyslogd to support wildcards. The Vapp is shipped with version 5.8.10
rsyslogd 5.8.10, compiled with:
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
See http://www.rsyslog.com for more information.
On a test machine(Non-Vapp machine) with even rsyslogd version 7.x i was not able to use wildcard for filenames, after upgrading rsyslogd to 8.19 i was able to see it pick up wildcards for filenames and monitoring multiple files.
please refer https://www.slideshare.net/rainergerhards1/using-wildcards-with-rsyslogs-file-monitor-imfile Section (Using Wildcards with rsyslog's File Monitor imfile), it clearly says
* Prerequisites ● kernel with inotify support ● at least rsyslog v8.5.0
i dont think without updating the rsyslogd version we will be able to accomplish what customer is looking for.
We need this update in vApp