<div dir="ltr">thank you<br>another thing please<br>i would like to ask you if it is possible to change the TAG of sent message <br>for example<br>give the messages sent to a syslog server tag a value ( 0X11)<br>and then in the server filter on this tag<br>
i am killing myself to tell my techer that the tag and priority flag are assigned automaticly by syslog and he insistes on the fact that we can change their value<br><br>thks<br><div class="gmail_quote">2009/3/11 ILLES, Marton <span dir="ltr"><<a href="mailto:illes.marton@balabit.hu">illes.marton@balabit.hu</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:<br>
</div><div class="im">> thks<br>
> but i want the change bee sent in (real time) if we can use this term<br>
> because follow_freq(1) means that syslog need to check tchangee in the<br>
> fie every 1 second<br>
> is there any way to make it 0 second ====> detect changes in the<br>
> apache error log as they happen<br>
> thks<br>
><br>
<br>
</div>Hi,<br>
<br>
Real time is a tricky thing. There will be always some latency unless<br>
you configure your apache to send logs to syslog-ng directly (over a<br>
pipe or fifo). Even pipes and fifos have a little latency though we<br>
usually ignore that.<br>
<br>
If you check from a file you can either lower the frequency of checking<br>
for changes or the PE has inotify support under linux to detect file<br>
changes. Lower the frequency though results in higher CPU load as<br>
syslog-ng will be busy checking, stat()-ing the file. To lower the<br>
frequency in 3.0, just set a smaller floating number for follow_freq().<br>
<br>
760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); }<br>
761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); }<br>
<br>
to set it for 0.5 sec use follow_freq(0.5)<br>
<br>
On the other hand I think 1 sec latency should not be a problem, but<br>
logging through pipe is probably a better choice. Also apache can send<br>
error log directly to syslog.<br>
<br>
<a href="http://httpd.apache.org/docs/1.3/mod/core.html#errorlog" target="_blank">http://httpd.apache.org/docs/1.3/mod/core.html#errorlog</a><br>
<br>
cheers,<br>
<br>
Marton<br>
<div><div></div><div class="h5"><br>
> 2009/3/10 Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>><br>
><br>
> On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote:<br>
> > hi i am using syslog-ng 2.0.9.1 on open suse 11.0<br>
> ><br>
> > i configured this littele script<br>
> in /etc/syslog-ng/syslog-ng.conf<br>
> ><br>
> > source my_src { file("/var/log/apache2/error_log");<br>
> };<br>
> ><br>
> > #filter my_filter { };<br>
> ><br>
> > destination<br>
> my_dest{ file("/var/log/Sami/$HOST/messages"<br>
> > owner("root") group("root") perm(0640)<br>
> dir_perm(0750)<br>
> > create_dirs(yes));<br>
> > };<br>
> ><br>
> > log { source(my_src); #filter(my_filter);<br>
> > destination(my_dest); };<br>
> > the problem is when i restart apache2 while using the tail<br>
> > -f /var/log/Sami/$HOST/messages<br>
> ><br>
> > nothing happens i have to restart syslog-ng to see those<br>
> errors<br>
> ><br>
> > by the way i stoped the apparmor to avoid a permission<br>
> denied on the<br>
> > destination driver<br>
><br>
><br>
> Since you are using 2.0, you need to explicitly specify for<br>
> syslog-ng<br>
> that you want to poll the file for changes. You can do this<br>
> via the<br>
> follow-freq() option, e.g.<br>
><br>
> file("/var/log/apache2/error_log" follow_freq(1));<br>
><br>
> In 3.0, the default value for follow_freq() for regular files<br>
> is 1<br>
> seconds, so you wouldn't have to specify it explicitly.<br>
><br>
> --<br>
> Bazsi<br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
</div></div><font color="#888888">--<br>
Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D<br>
</font><div><div></div><div class="h5"><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br></div>