On Mon, 2008-06-09 at 13:39 +0100, Hari Sekhon wrote:
Hi,
I'm using the file() source to include logs from an application that doesn't do syslog (heresy! :-) ). It looks like it's logging the thing under the kern facility.
I've been through the admin manual v2 and cannot see any way to change the facility and priority that it marks the source as. My current source looks like this:
source s_app_name{ file( "/path/to/app.log" log_prefix("App Name: ") flags(no-parse) ) ; };
Also, the app.log is quite big and syslog-ng has gone and taken the whole thing and inserted it into syslog with the current timestamp. I'd like to know if there is a tail -n 0 type switch to tell it to take only things that have been appended since it has started watching the file. Can this be done?
If it finds a new file, it usually sends the complete file and then follow it the same way you describe it, you only need to specify the follow-freq(<number of seconds to poll>) option to the file. It does not skip the contents already there, it records the current position instead, and continues reading from there on.
I wrote a script that basically tails to logger which does all these things but I'd rather use the file() source if I can get these niggles working the way I want. I'm running syslog-ng 2.0.6.
I can't remember when but I remember I had some patches against file sources, so please check out the latest NEWS file for file source related changes. -- Bazsi