Rsyslog Regex and DynaFile template

Question

I'm using the below template to extract only required fields from the firewall log to save bandwidth and license cost in Splunk. It's working when I save it to the static file but I need file names should be saved in timestamp so that I will rotate the old logs. I'm trying to use DynaFile but I don't know how can I use both templates for a single log?

Working template with static file:

template(name="clean" type="string"
         string="%TIMESTAMP% %HOSTNAME%  %msg:R,ERE,0,DFLT:type=\"([^\"]*)\"--end% %msg:R,ERE,0,DFLT:subtype=\"([^\"]*)\"--end% %msg:R,ERE,0,DFLT:level=\"([^\"]*)\"--end% %msg:R,ERE,0,DFLT:eventtime=[1-9]+--end% %msg:R,ERE,0,DFLT:srcip=(.*) srcport=[0-9]+--end% %msg:R,ERE,0,DFLT:srcintf=\"([^\"]*)\"--end%\n"
        )

if $hostname == '192.168.0.1' then action(type="omfile" file="/var/log/firewall.log" template="clean")

How can I save this outcome of this template using DynaFile? Thanks for your time.

Answer 1

The omfile module accepts the parameter "dynaFile=" instead of "file=" to specify a template for a dynamic filename.

If you just use %timestamp% in your filename, it will probably create a new file for each message, as the timestamp includes hours, minutes and seconds. One possibility is to convert the timestamp into a standard format called rfc3339, and then just take the year-month-date part of that string, using a property replacer.

template(name="mydynafile" type="string" string="/var/log/my-%timestamp:1:10:date-rfc3339%.log")

if $hostname == '192.168.0.1' then action(type="omfile" dynaFile="mydynafile" template="clean")