Here is a snippet of my rsyslog.conf that works great with one log being forwarded but not two. If I comment all of Part B, Part A works. So I can get one zeek log to forward but not two. I have at least ten to do.

How do I get multiple files to forward. Cat var/log/messages suggests an error concerning 'multiple inputs' not allowed. Everything in bold is a comment.

Send zeek logs to collector

$ModLoad imfile # Load the imfile module for tailing log files

Tail the log files and forward them to the remote server

conn.log

module(load="imfile")

input(type="imfile" File="/usr/local/zeek/logs/current/conn.log" Tag="conn.log" ruleset="remote")
ruleset(name="remote"){
action(type="omfwd" target="10.1.1.10" port="6667" protocol="udp")

Part B

dns.log

module(load="imfile")

input(type="imfile" File="/usr/local/zeek/logs/current/dns.log" Tag="dns.log" ruleset="remote")
ruleset(name="remote"){
action(type="omfwd" target="10.1.1.11" port="6668" protocol="udp")