[ArjenR49]

I have had my XR500 sending its syslog to an rsyslog server, which is a Raspberry Pi also serving as the local PiHole DNS server and more. This works fine, but ....

over time the router.log file keeps growing and growing, of course, until today it reached 300 Mb in size.
I figured it is time to set up logrotate for router.log on the rsyslog server.

Using the following settings
/var/log/router.log
{
daily
missingok
create 0644 root root
rotate 7
compress
notifempty
delaycompress
}

logrotate indeed rotates router.log and creates the new file.

However, the router persists in writing to the rotated file router.log.1 ...
Eventually this is bound to create a problem, when router.log.1 is rotated to router.log.2.gz (the next day ...).

Rebooting the router doesn't seem to help.

How should I change the logrotate settings on the rsyslog server to have the router notice the new file?

Rebooting both devices appeared to make the router write to router.log again, but it is hardly a practical or sensible solution.

[kernel-panic69]

https://duckduckgo.com/?q=rsyslog+writes+to+rotated+log+file+after+rotation+and+not+to+new+file

https://github.com/rsyslog/rsyslog/issues/3952

https://computingforgeeks.com/perform-proper-rsyslog-logs-rotation-using-logrotate/

[ArjenR49]

@kernel-panic69:
Thanks! This helped a lot. I got rsyslog and logrotate sorted out.

Files related to rsyslog and logrotate as I have them now:

/etc/logrotate.d/router:

/var/log/router.log
{
daily
missingok
create 0644 root root
rotate 7
compress
notifempty
delaycompress
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}

The postrotate command line replaces the 'rsyslog-rotate' script that is also used in the default logrotate.d files for rsyslog. It didn't work for the router.log. The clause with HUP as above works.

Below /etc/rsyslog.d/routerlog.conf (filename can be any valid name).
This conf file sets the file name for the log messages sent by the router on 192.168.1.1 through port 514 ...

#$template NetworkLog, "/var/log/router.log"
#:fromhost-ip, isequal, "192.168.1.1" -?NetworkLog
#& STOP

#$template routerlog, "/var/log/router.log"
#if $fromhost-ip startswith "192.168.1.1" then -?routerlog
#& stop

# Yet another form of syntax ...
if ($fromhost-ip == "192.168.1.1" ) then /var/log/router.log

Having different forms of filter clauses on different rsyslog servers is confusing. I found and tried the above which originated from different sources and all appear to work. Take your pick.
There are many instances of the same Rsyslog documentation on the internet, but I found it to be very complicated to figure out - felt like reading the 'Revised report on Algol 60' and almost no simple examples or recent tutorials.

In addition you need to have uncommented the below lines in /etc/rsyslog.conf:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

/etc/logrotate.conf is as installed.
I think this covers the files involved (my rsyslog servers run Raspberry Pi OS i.e. linux).