This is intentional behaviour. Syslog-ng starts any "program()" when syslog-ng is started and it expects that the program will perform read from stdin and block waiting for data. This protects syslog-ng againts the overhead of forking a new process everytime a matching log message is seen. You can still use filters so I'd suggest modifying your program so that it can have the $S_DAY fed to it at the start of each log message.
Evan Rempel <erempel@uvic.ca> 12/04/09 4:07 PM >>>
Is it possible to use macro expansion in the program destination. I wanted to write something like destination mydest{ program("/some/path/to/filter/program -options >> /path/log.$S_DAY"));}; I was hoping that syslog-ng would not open this destination until the first message was ready for this destination. I was hoping that syslog-ng would open a new one when the $S_DAY changed, allowing me to have each day of logs processed by my program with outputs based on day. Does anyone know if macro expantion can be used on program destinations? If not, can someone explain what I am overlooking that makes this a bad thing? Thanks, -- Evan Rempel ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html