Shipping Logs from Pi-Hole to Log Analyzer

I did a little exploring today and found an easy way to ship all of the logs from my Pi-Hole to Log Analyzer.

Create a new /etc/rsyslog.d/90-pihole.conf file and then put the following in the file and save it:

# Ship my Pi-Hole logs to Orion's Log Analyzer
*.*     action(type="omfwd" target="ServerIP" port="514" protocol="udp"
                      action.resumeRetryCount="100"
                      queue.type="linkedList" queue.size="10000")

# Define extra log sources:
module(load="imfile" PollingInterval="30")
input(type="imfile" File="/var/log/pihole.log"
         Tag="pihole"
         StateFile="/var/spool/rsyslog/piholestate1"
         Severity="notice"
         Facility="local0")
input(type="imfile" File="/var/log/pihole-FTL.log"
         Tag="piFTL"
         StateFile="/var/spool/rsyslog/piFTLstate1"
         Severity="notice"
         Facility="local0")

Replace ServerIP with your Orion Server or Additional Polling Engine's IP address and then save the file.

Lastly, you'll need to restart the rsyslog service.

sudo service rsyslog restart

The logs should be flowing in now!

Yeah, it's just something silly and fun, but was helpful when I needed to search for a specific machine that wasn't able to communicate outside.  Makes it easy to find necessary additions to your whitelist.