<div dir="ltr"><div>i don't believe that's the case - the command syslog-ng-ctl status showed these files as processed after they were removed even after a restart. they only clear up after i remove the persist file and restart syslog-ng. this is reproducible in 3.17.2, i have not tried 3.18 yet.<br></div><div><br></div><div>instead of the drop-box method i may instead just pipe output to logger and run a few health checks (port listening, syslog-ng running) every time the script runs. this leaves one less mechanism for me to deal with (removing files after they're read).<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018 at 12:37 AM Scheidler, Balázs <<a href="mailto:balazs.scheidler@oneidentity.com">balazs.scheidler@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>The files removed should be untracked automatically once the DELETED event is received from inotify, so they shouldn't be counted in max-files() once that happens.</div><div><br></div><div>the persist file is cleaned up at restarts, quoting a comment from the persist-state.c file:</div><div> * Cleaning up:<br> * ------------<br> *<br> * It can be seen that no explicit deallocation is performed on the<br> * persistent file, in effect it could grow indefinitely. There's a<br> * simple cleanup procedure though:<br> *<br> * - on every startup, the persist file is rewritten, entries with an<br> * in_use bit set are copied to the new one, with the in_use bit cleared<br> * - whenever syslog-ng looks up (e.g. uses) an entry, its in_use bit is set again<br> *<br> * This way unused entries in the persist file are reaped when<br> * syslog-ng restarts.<br> *<br><br></div><div>stats are only in memory, and are not cleaned up, unless syslog-ng is restarted.</div><div><br></div><div>In theory those cleanups could happen via syslog-ng-ctl or at reloads, but they don't today.<br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 5, 2018 at 11:19 PM Nik Ambrosch <<a href="mailto:nik@ambrosch.com" target="_blank">nik@ambrosch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>is there a way to tell syslog-ng to stop tracking/following a file and flush from syslog-ng stats? i've noticed that when dropping a large number of files into my temporary directory it's very easy to exceed max_files and i'm not sure how long it takes to be removed from syslog-ng.persist automatically (is it ever removed automatically?)</div><div><br></div><div>when this is done i'll be fetching and deleting about five new log files per minute.<br></div><div><br></div><div> </div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Oct 15, 2018 at 12:36 PM Nik Ambrosch <<a href="mailto:nik@ambrosch.com" target="_blank">nik@ambrosch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>It seems most elegant to have syslog-ng take care of the file once it's done consuming, I don't think it would be against the role of the software to do so either.</div><div><br></div><div>I wrote a script that seems to do the job if run periodically via cron, my biggest issue I have is a worst-case if there is an non-parsed file with a missing stamp, which would happen on a daemon reload. I'm conflicted if the correct action is to remove the file or force a reload of the file.<br></div><div><br></div><div><br></div><div>#!/usr/bin/env bash<br><br>path='/data/tmp'<br><br># examine every file in directory<br>for file in $(find $path -type f); do<br> # how many lines is in this file<br> lines=$(wc -l ${file} | awk '{print $1}')<br> <br> # output of syslog-ng-ctl<br> ctlout=$(syslog-ng-ctl query get src.file.s_cf_file*${file}*)<br> <br> # how many lines syslog-ng has parsed<br> parsed=$(echo "${ctlout}" | grep '.processed=' | awk -F '=' '{print $2}')<br> <br> # when syslog-ng last consumed the file<br> stamp=$(echo "${ctlout}" | grep '.stamp=' | awk -F '=' '{print $2}')<br><br> # debug<br> echo "file ${file} parsed ${parsed} of ${lines} lines"<br><br> # if file was parsed before a restart<br> if [[ "${parsed}" = "0" && "$stamp" = "0" ]]; then<br> echo "file ${file} processed before syslog-ng restart, removing"<br> #rm -f "${file}<br> fi<br><br> # if all lines in file were parsed<br> if [[ ${parsed} -eq ${lines} ]]; then<br> echo "file ${file} processed, removing"<br> #rm -f "${file}<br> fi<br>done</div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 15, 2018 at 12:51 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@oneidentity.com" target="_blank">balazs.scheidler@oneidentity.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">It would be possible to add an option to execute an external script when eof is reached.<div dir="auto">If i remember correctly the driver level has this information in the form of a notification today. So it's only about adding the option and calling system() on it.</div><div dir="auto"><br></div><div dir="auto">On the other hand, syslog-ng keeps statistics on every file it follows, so the alternative is to poll syslog-ng-ctl stats and see if the counters of the file is non-zero and delete it only in that case.</div></div><br><div class="gmail_quote"><div dir="ltr">On Sun, Oct 14, 2018, 04:16 Nik Ambrosch <<a href="mailto:nik@ambrosch.com" target="_blank">nik@ambrosch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks for the feedback. The files contain predictable json data, new files arrive every 1-3 minutes (haven't decided yet). There are no start and end markers.</div><div><br></div><div>I'm wary of using cron to delete old files because if syslog-ng isn't able to consume the file (crashed, user error, upgrading package, etc) the non-consumed file will be deleted and contents will be lost.</div><div><br></div><div>That same worst case applies to a separate script - if it provides the messages via syslog (instead of copying a file) but syslog-ng is unhealthy, then my messages are lost unless I build a buffer into the script and that starts to get complex.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 13, 2018 at 2:40 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" rel="noreferrer" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">If there's a specific time for which a dropped file is specific to, then just remove the file after a grace period with a simple cron job.</div><br><div class="gmail_quote"><div dir="ltr">On Sat, Oct 13, 2018, 14:01 Nagy, Gábor <<a href="mailto:gabor.nagy@oneidentity.com" rel="noreferrer" target="_blank">gabor.nagy@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Nik,<div><br></div><div>Syslog-ng should not be designed to delete files when it reaches EOF, it rather monitors the file for new lines if so.</div><div>This would be a bit destructive behaviour even if it would be a feature with a control flag:<br></div><div>source s_file_clearup {<br></div><div> wildcard-file (</div><div> base-dir("/tmp/")</div><div> filename-pattern("*")</div><div> remove-on-EOF(yes)</div><div> );</div><div>};</div><div>But if we are looking at from your point of view, it could be enhanced to have one-time files, or drop-off files.</div><div>It could be an enhancement.</div><div><br></div><div>With the current behaviour of syslog-ng quick ideas to solve this use case (if workaround needed):</div><div>- syslog-ng closes a file after the reading is idle for time_reap seconds. This could be monitored externally and remove the given file.</div><div>Example message "Destination timed out, reaping; template='input-logs', filename='input-logs"</div><div>I think there is no EOF warning for files, as syslog-ng simply waits for new lines (as said above).</div><div><br></div><div>Regards,</div><div>Gabor</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Oct 12, 2018 at 5:55 PM Nik Ambrosch <<a href="mailto:nik@ambrosch.com" rel="noreferrer noreferrer" target="_blank">nik@ambrosch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Looking to create a drop-off directory that syslog-ng handles instead of needing to execute in a separate script.. flow would go something like this:</div><div><br></div><div>1) mv file.log /syslog-tmp/</div><div>2) syslog-ng reads /syslog-tmp/file.log<br></div><div>3) syslog-ng deletes /syslog-tmp/file.log when done consuming<br></div><div><br></div><div>Sounds simple but I can't seem to figure out a good way to do this. The other option is to read file with a script, send out with logger (or whatever), and hope that syslog-ng is running & healthy.</div><div><br></div><div>Thanks.<br></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>