The rsyslog handling of the pihole log file is working great now. It didn't have any problems at midnight when the log file rotation was done. However, I think the main reason it's working now is that I inadvertently removed the rsyslog work directory /var/spool/rsyslog. In preparation for my test I did an "rm -r" command intending to remove the imfile-state files within that directory. It didn't occur to me that the directory would be removed too (I'm not exactly a linux guru). Without a working directory set up rsyslog evidently tries to use "/" but I don't think it could write there. Presumably imfile is not using state files at this point and everything is working perfectly.
My reading of the imfile documentation about state files leads me to suspect that if I restart rsyslog it might read the entire pihole log file and send it to my NAS via port 514 -- if so, I can live with that scenario. I will restart rsyslog to check this out but restarting rsyslog isn't something I would ever do routinely so I can live with extra log data being sent to my NAS if that's how this works.
I did make some changes to my initial rsyslog configuration:
-
I removed
/etc/rsyslog.d/pihole.confand/etc/rsyslog.d/piholeftl.conf -
I changed
/etc/rsyslog.confand replaced my initialmodule(load="imfile")with these 2 lines:
module load=("imfile" PollingInterval="30")
input(type="imfile" File="/var/log/pihole/pihole.log" Tag="pihole:" deleteStateOnFileDelete="off" PersistStateInterval="0" reopenOnTruncate="on")
The 4 statements from my previous reply that load imtcp and imudp for port 514 processing were left in the conf file, as was the log server IP and port number statement.
I'm not doing anything with pihole-FTL.log at this point.
I'm not suggesting that this setup is a best practice by any means, but it's working nicely for me. If anyone with rsyslog expertise wants to suggest improvements just let me know and I'll tweak my setup.