Previously there were some discussion to add size_limit option to the file destination driver.
options { file_size_limit(123456); }; destination log1 { file("/var/log/log1.log" size_limit(456789)); };
I've just compiled syslog-ng 3.3.4, and received a syntax error when trying to use these options. Are there any plans to add this option to syslog-ng in the future? Can the patch that was previously attached, be applied to 3.3.4 source? -Thank You, Gene Mat
On 2011-07-25 20:03, Gergely Nagy wrote:
On Mon, Jul 25, 2011 at 19:58, Sergei Zhirikov<sfzhi at yahoo.com> wrote:
I have a patch that does something of that kind. When the log file grows above certain size syslog-ng switches to a new one and renames the old one. Further processing (such as compression) should be done externally.
I posted that patch in this list quite some time ago, but as far as I can tell, it went unnoticed...
Can you please post it again? I'd love to have a look.
Attached. The patch is against syslog-ng-3.1.4, but the idea is pretty straight forward, so I don't expect it to be difficult to port to a newer version.
The patch introduces two new configuration options: 'file_size_limit' to be used inside global 'options' and 'size_limit' to be used inside 'file' destination. Each option specifies log file size limit in bytes. If the global option is set to a value greater than zero it applies to all 'file' destinations. A particular file destination can remove the limit by setting it to zero. For example:
# set the global file size limit options { file_size_limit(123456); };
# set a different size limit for a particular file destination destination log1 { file("/var/log/log1.log" size_limit(456789)); };
# remove size limit for a particular file destination # (useful only if there is a global size limit set) destination log2 { file("/var/log/log2.log" size_limit(0)); };
The file size is checked after writing each log message and if the file has grown up to or above the size limit the file is renamed and a new empty file is created to continue logging to. The name format the "overgrown" log file is renamed to is "<p>-<s>.<m>-<r>", where <p> - the full path and name of the original log file, <s> - current time in UNIX format (seconds since Jan 1, 1970), <m> - fractional part of the current time (microseconds, 6 digits), <r> - a random number (10 digits).
The intended use is to have incrond or another similar mechanism to detect when there is a new "renamed" log file and to process it in whatever way necessary (gzip it, parse it, send it my email, etc.).
-- Sergei.