I have a solution.. but I think there can be a better one. My solution is: having a midlle program between syslog-ng and the destination file. And for every message received, the program would verify if the destination file (p.e. auth.log) already has 100 lines. If so, deleted the last line, make all others one ENTER down and that append the new line to the beginning of the file.
It would probably be better to maintain the file in circular fashion: allocate 8K in the beginning, then write messages from beginning to end, then wrap around and write from the beginning again, always keeping track (in a header of the file) of where you last wrote. Use a special program that understands this file format to translate it to a regular stream that you can use normally. Lots of systems have programs that do this. I looked on Freshmeat for a publicly available one and found 'cupyvei', though I don't much care for the details of this implementation. It would be easy to write a program of your own. I also think a built in log destination of this type (e.g. "file_circular") would be an excellent addition to syslog-ng. I think this type of logging is a common requirement. -- Bryan Henderson San Jose, California