Hello! For `omfile` action `file` parameter is static file name. You cannot use variables there as it's not expanded (AFAIK at least). For dynamic file names you should use the `dynaFile` parameter instead.
This is explained here: https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html#file So your latest example can be rewritten in this way: ``` template(name="events_by_date" type="list") { constant(value="/var/log/external/") property(name="hostname" securepath="replace" caseconversion="lower") constant(value="/windows_events-") property(name="timereported" dateformat="year") property(name="timereported" dateformat="month") property(name="timereported" dateformat="day") constant(value=".log") } if ($hostname != "aws-delta-mon") then { action(name="windows_events" type="omfile" dynaFile="events_by_date" dirOwner="root" dirGroup="root" dirCreateMode="0755" fileCreateMode="0644" ) } ``` List-type template definition is longer than string-type but it's easier to understand (for me at least). I added `securepath` options to increase security. Elsewhere an evil person may send "../../../etc" as a hostname e.g. and you will write the log into /etc directory. `caseconversion` will make all your hostnames in lower case which is convenient for windows/linux mixed environments. Usually windows hostnames are uppercase (at least it was so while ago). Then I added dir* `omfile` properties to ensure newly created log files will have proper ownership and permissions. If you would like to write messages in some specific format then you may define another template and specify it in the `omfile`'s `template` option. This will affect just the messages format, not the file name format. On Thu, 11 Mar 2021 at 02:14, linksonice via rsyslog < [email protected]> wrote: > Even better, the total solution: > > ############### > if ($hostname != "aws-delta-mon") then { > $template > > DynaFile,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log" > *.* -?DynaFile > } > ############### > > This prevents the rsyslog server from logging everything in duplicate under > /var/log/external. > > I realised somewhat late in the game that $template [pre-V6 notation] is > acceptable in v8 or post v6, but the issue I found, if you read the entire > thread here is that whilst it's acceptable syntactically, it just doesn't > work. Maybe there was something else missing in my rsyslog.conf, but it's > just not straightforward enough really. Hope this helps somebody going > forward. Call me lazy [and many do :D], but maybe the documentation could > use a bunch of tried and tested example use cases. > > > > -- > Sent from: http://rsyslog-users.1305293.n2.nabble.com/ > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Yury Bushmelev _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
