<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello,<br>
<br>
Syslog-ng doesn't do any form of rotation - you're using macros in
the destination filenames instead. Contents of macros like $YEAR
get parsed from the timestamp of the incoming messages so as long
as messages contain older timestamps syslog-ng will (re)open files
reflecting these older timestamps and append logs there. There is
no need to restart syslog-ng as not the restart changes where logs
will get written but the metadata associated with the logs.<br>
<br>
IIRC the antique 1.6.8 version you're using also has support for
other datetime macros (prefixed with C_ or R_) which reflect the
'C'urrent or 'R'eception timestamp so you can alter the current
behaviour - although I wouldn't recommend switching for example to
$C_YEAR-$C_MONTH-$C_DAY as it could be confusing to see the last
few logs of a given day written to another file than people would
expect.<br>
<br>
Does this make sense or did I misunderstood your observation?<br>
<br>
Regards,<br>
Sandor<br>
<br>
On 06/07/2018 01:06 PM, Amin, Jitesh CTR DISA JSP (US) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6ABAA6A2B076EB46BAD27364052B13AB4C80D873@UMECHPA65.easf.csd.disa.mil">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p>CLASSIFICATION: UNCLASSIFIED<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So
the file rotates now successfully – but what I have noticed
is that after the file rotates it collects data for first
few minute or so and then it stops collecting data
(basically the file size never grows and timestamp never
changes to the most latest when I check the file).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
do see that syslog process/service is running. If I restart
the service/process, it starts collecting data until the
file rotation happens.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Can
you please let me know what would be causing this behavior?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Jitesh
Amin<o:p></o:p></span></p>
</div>
<p>CLASSIFICATION: UNCLASSIFIED<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><a name="_____replyseparator"
moz-do-not-send="true"></a><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Amin, Jitesh CTR DISA JSP (US) <br>
<b>Sent:</b> Tuesday, June 5, 2018 9:59 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> RE: (U) [syslog-ng] [Non-DoD Source] Re:
Rotate syslog-ng log files<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>CLASSIFICATION: UNCLASSIFIED<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">OK
skipping the {} made it work and I now see a syslog file
with timestamp (year-month-day). Does this mean it should
rotate to new log file name (tomorrows timestamp) at
midnight tonight? OR I need to add syntax so it rolls
everyday with new timestamp. Just wanted to confirm.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Jitesh
Amin<o:p></o:p></span></p>
<p>CLASSIFICATION: UNCLASSIFIED<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
syslog-ng <a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng-bounces@lists.balabit.hu"><syslog-ng-bounces@lists.balabit.hu></a> <b>On
Behalf Of </b>Scheidler, Balázs<br>
<b>Sent:</b> Thursday, May 31, 2018 5:48 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> Re: [syslog-ng] (U) [Non-DoD Source] Re:
Rotate syslog-ng log files<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">All active
links contained in this email were disabled. Please verify the
identity of the sender, and confirm the authenticity of all
links contained within the message prior to copying and
pasting the address to a Web browser. <o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I mean syslog-ng 1.6.8<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On May 30, 2018 22:54, "Balazs
Scheidler"
<<a class="moz-txt-link-abbreviated" href="mailto:bazsi77@gmail.com">bazsi77@gmail.com</a> <a class="moz-txt-link-rfc2396E" href="mailto: Caution-mailto:bazsi77@gmail.com ">< Caution-mailto:bazsi77@gmail.com ></a> >
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">syslog-ng does have template
support, it just doesnt support braces, which came
later.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Just write $YEAR instead of
${YEAR}<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On May 30, 2018 09:41, "Gergely
Nagy"
<<a class="moz-txt-link-abbreviated" href="mailto:algernon@balabit.com">algernon@balabit.com</a> <a class="moz-txt-link-rfc2396E" href="mailto: Caution-mailto:algernon@balabit.com ">< Caution-mailto:algernon@balabit.com ></a> >
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">>>>>>
"Amin" == Amin, Jitesh CTR DISA JSP (US)
<<a class="moz-txt-link-abbreviated" href="mailto:jitesh.amin.ctr@mail.mil">jitesh.amin.ctr@mail.mil</a> <a class="moz-txt-link-rfc2396E" href="mailto: Caution-mailto:jitesh.amin.ctr@mail.mil ">< Caution-mailto:jitesh.amin.ctr@mail.mil ></a> >
writes:<br>
<br>
Amin> Let me ask this, with the following
config = destination<br>
Amin> syslog {
file("/var/log/syslog-${YEAR}-${MONTH}-${DAY}.log");<br>
Amin> };<br>
<br>
Amin> It created new file and started
writing to it (versus creating<br>
Amin> new syslog.log). Question, if we plan
to accept this for now,<br>
Amin> with above config, would it create a
new file ever day with<br>
Amin> following file names or no it would
not work with v1.6.8<br>
<br>
With syslog-ng 1.6.8, it would not create a new
file every day, and<br>
would continue writing to
syslog-{YEAR}-{MONTH}-{DAY}.log. With newer<br>
versions, it would create files like
`syslog-2018-05-30.log`. No `.0`,<br>
`.1` or the like would be appended. That's a
convention of logrotate.<br>
With syslog-ng, you get filenames that match the
template, they will<br>
have nothing appended or prepended that is not in
the filename template.<br>
<br>
-- <br>
|8]<br>
______________________________________________________________________________<br>
Member info:
Caution-https://lists.balabit.hu/mailman/listinfo/syslog-ng < Caution-https://lists.balabit.hu/mailman/listinfo/syslog-ng > <br>
Documentation:
Caution-http://www.balabit.com/support/documentation/?product=syslog-ng < Caution-http://www.balabit.com/support/documentation/?product=syslog-ng > <br>
FAQ:
Caution-http://www.balabit.com/wiki/syslog-ng-faq < Caution-http://www.balabit.com/wiki/syslog-ng-faq > <o:p></o:p></p>
</blockquote>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________________________________________________________<br>
Member info:
Caution-https://lists.balabit.hu/mailman/listinfo/syslog-ng < Caution-https://lists.balabit.hu/mailman/listinfo/syslog-ng > <br>
Documentation:
Caution-http://www.balabit.com/support/documentation/?product=syslog-ng < Caution-http://www.balabit.com/support/documentation/?product=syslog-ng > <br>
FAQ:
Caution-http://www.balabit.com/wiki/syslog-ng-faq < Caution-http://www.balabit.com/wiki/syslog-ng-faq > <o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>