31.05.2016 13:04, Matwey V. Kornilov пишет:
Hello,
I am running syslog-ng 3.7.1 and journald v210. The goal I want to reach is the following. I would like to replicate local system logs to remote endpoint using standard UDP protocol.
So, I've just disabled all destinations except the following one:
destination logserver { udp("10.0.0.47" port(514)); }; log { source(src); destination(logserver); };
The issue is the following. It seems that syslog-ng 3.7.1 uses journald natively for system() source. And I like it. The issue is that when I start syslog-ng it tries to sync all existing local journald data (about 5 GB of compressed journald data, 1.5 years of logs) from the beginning.
I found in modules/systemd-journal/journal-reader.c that syslog-ng stores journald cursor in the persists file. I would like to point the cursor to the end of journald database in order to avoid unneeded log sync.
The question is how could I do that in opensource syslog-ng version?
I've written simple yet useful application which solved the problem: https://github.com/matwey/syslog-ng-persist
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq