<div dir="auto">Thanks. Will try that one</div><div class="gmail_extra"><br><div class="gmail_quote">On Nov 20, 2017 10:32 AM, "Fekete, Róbert" <<a href="mailto:robert.fekete@balabit.com">robert.fekete@balabit.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, <div><br></div><div>I believe you are looking for the R_HOUR macro (<a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/date-macros.html" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-ose-<wbr>latest-guides/en/syslog-ng-<wbr>ose-guide-admin/html/date-<wbr>macros.html</a>)</div><div><br></div><div>HTH, </div><div><br></div><div>Robert</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 20, 2017 at 4:29 PM, craig bowser <span dir="ltr"><<a href="mailto:reswob10@gmail.com" target="_blank">reswob10@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div dir="auto"><br></div><div dir="auto"><p style="font-family:sans-serif;font-size:13.696px">So according to<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px"><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/example-logrotate.html" style="text-decoration-line:none;color:rgb(66,133,244)" target="_blank">https://www.balabit.com/docume<wbr>nts/syslog-ng-ose-latest-guide<wbr>s/en/syslog-ng-ose-guide-admin<wbr>/html/example-logrotate.html</a><u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><pre style="white-space:pre-wrap;margin:0in 0in 0.0001pt;font-size:10pt;font-family:"courier new"">using this format:  destination d_sorted { file("/var/log/remote/${HOST}/<wbr>${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); };<u></u><u></u></pre><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">I can create logs folders and files based on the timestamp.  And this is working nicely for us... With a caveat.<u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">We are getting a TON of logs, so we want to rotate hourly and archive quickly.<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">My config is this:  destination d_msg { file("/var/log/message_${YEAR}<wbr>_${MONTH}_${DAY}_${HOUR}.log")<wbr>; };<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">But instead of creating one file per hour according to the time the event is received, it is creating files based on the timestamp of the event (which, while useful for discovering and tracking down machines with time synch problems, is not so useful for managing log files on the syslog server).<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">Is there a way to make it create files based on the time the event is received and NOT the timestamp of the event?<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:13.696px">Thanks.<u></u><u></u></p><p style="font-family:sans-serif;font-size:13.696px"><u></u> </p></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div></div>