I'm running two instances of pihole in my environment, one on a RPi4 and the other in docker on a Synology DS1019+. I want to forward logs from both instances to a central graylog server (also running in Synology docker).
When I first set this up on the Pi, it worked fine but, on logrotate at midnight, rsyslog stopped forwarding entries from pihole.log. It seems that pihole logrotate is implemented by performing a copy and then truncate rather than a move. I see from reading in /opt/pihole/piholeLogFlush.sh that this was deliberate design decision to avoid dnsmasq from continuing to write to the moved file which would still have the same inode.
The problem with this approach is to do with the way that rsyslog monitors the log file. rsyslog uses a state file to maintain its current position in the log file (so that it can pick up from the correct point after a restart) but, when the file is truncated, rsyslog's state file pointer is not reset to point to the start of the file. Consequently, syslog forwarding stops.
A second problem with this approach (which isn't the main reason for writing this post but I've seen discussed elsewhere) is that log entries can get written to log file between the copy and the truncate and those entries would be lost.
An alternative approach to log rotation might be to move the old log file and then restart pihole. This approach would allow rsyslog to switch to the new log file and perform its own internal housekeeping to update the state file so log forwarding would continue. This approach would also prevent log entries from being deleted at truncation.
My preference is to raise this as a feature request but I don't have the discourse rights here yet. Nevertheless, I'm happy for us to have a chat about it here first to see whether there are some perspectives that I've missed which would make an alternative approach difficult.