Not (easily?) possible to only send one log file, impossible if that file is not in /var/log

[jalenplayvs]

The ask:

• A way to exclude /var/log and all other log directories implicitly included by default, and only ingest explicitly included files
• A way to ingest logs that are either in other directories, or are symlinks from /var/log/... to other directories.
• Fix that even exclusion rules like /var/log/*, /var/log/*/*, /var/log/*/*/* will still include some log files from those directories for reasons I do not understand

I have a special one-off host that I only want to ingest one log from, and the only way I could achieve it was to create permissions so that the job I was running could log to a file in /var/log. logdna-agent refuses to pick up a file in /home, or even a symlink from /var/log/... to a file in /home

[dkhokhlov]

how do you run agent? standalone app/service or in container/pod?

[jalenplayvs]

It's running in a Ubuntu 20.04 VM in AWS EC2 (no containerization involved), installed using the instructions for .deb Linux hosts from the logdna apt repo.

[dkhokhlov]

here is the logdna.env file:

# cat /etc/logdna.env
LOGDNA_INGESTION_KEY=xxxxxxxxxxxxxxxxxx
LOGDNA_LOG_DIRS=/mnt/my_log_dir
LOGDNA_INCLUSION_RULES=/mnt/my_log_dir/*
LOGDNA_EXCLUSION_RULES=/var/log/*

Test:

# mkdir -p /mnt/my_log_dir
# systemctl restart logdna-agent
# touch /mnt/my_log_dir/my.log
# echo "test" >> /mnt/my_log_dir/my.log
# echo "test" >> /mnt/my_log_dir/my.log

[jalenplayvs]

My team mate @seano-playvs is going to take this ticket from here. As I understand it, that solution did allow collecting a log file outside of /var/log, but did not successfully exclude the files in /var/log. Sean can tell you more.