thank you another thing please i would like to ask you if it is possible to change the TAG of sent message for example give the messages sent to a syslog server tag a value ( 0X11) and then in the server filter on this tag i am killing myself to tell my techer that the tag and priority flag are assigned automaticly by syslog and he insistes on the fact that we can change their value thks 2009/3/11 ILLES, Marton <illes.marton@balabit.hu>
On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks
Hi,
Real time is a tricky thing. There will be always some latency unless you configure your apache to send logs to syslog-ng directly (over a pipe or fifo). Even pipes and fifos have a little latency though we usually ignore that.
If you check from a file you can either lower the frequency of checking for changes or the PE has inotify support under linux to detect file changes. Lower the frequency though results in higher CPU load as syslog-ng will be busy checking, stat()-ing the file. To lower the frequency in 3.0, just set a smaller floating number for follow_freq().
760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); } 761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); }
to set it for 0.5 sec use follow_freq(0.5)
On the other hand I think 1 sec latency should not be a problem, but logging through pipe is probably a better choice. Also apache can send error log directly to syslog.
http://httpd.apache.org/docs/1.3/mod/core.html#errorlog
cheers,
Marton
2009/3/10 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote: > hi i am using syslog-ng 2.0.9.1 on open suse 11.0 > > i configured this littele script in /etc/syslog-ng/syslog-ng.conf > > source my_src { file("/var/log/apache2/error_log"); }; > > #filter my_filter { }; > > destination my_dest{ file("/var/log/Sami/$HOST/messages" > owner("root") group("root") perm(0640) dir_perm(0750) > create_dirs(yes)); > }; > > log { source(my_src); #filter(my_filter); > destination(my_dest); }; > the problem is when i restart apache2 while using the tail > -f /var/log/Sami/$HOST/messages > > nothing happens i have to restart syslog-ng to see those errors > > by the way i stoped the apparmor to avoid a permission denied on the > destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g.
file("/var/log/apache2/error_log" follow_freq(1));
In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly.
-- Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html