Here is what I am trying to do.  We have all of our network monitoring devices logging to a central linux syslog-ng server.  The files write to the log server as the day of the week (eg. 01, 02, 03).  I am trying to make sure that when the month rolls over and starts writing to file 01 that they old file is blown away.  I don't need logs older than one month.  I can't seem to get syslog-ng to handle this on its own.  I have tried two options from syslog-ng that are given in the extended sample syslog-ng conf files from the website.  Neither have worked the way they said they should.

 

First, I tried limiting the number of lines that can be written to a file.  I set the log_fifo_size to (12288).  The sample config says that this setting is for the number of lines that can be written to the log files.  However, I have some log files that are over 1,000,000 lines.  So, unless I misunderstood this option it isn't working.

 

Second, I tried to set the option remove_if_older to (172800) or 2 days.  The expanded sample config says that this option checks a file to see whether or not it is older than the number of seconds specified.  If it is older then it removes the existing file and writes to a new file with the same name.  This option would work perfectly, if it worked!  When I put it in the config file, it barfs when trying to load syslog-ng and says it is an error.  Any ideas on how to do this (without writing a script to blank out each days file at midnight). 

 

Attached is a copy of our conf file.

 

Thanks,

Tim

 

# Syslog-ng configuration for for ODJFS-NOC Syslog
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.sample,v 1.2 1999/11/15 12:30:41 bazsi Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#

 

options {
        #remove_if_older(172800);
        use_fqdn(yes);
        use_dns(yes);
        dns_cache(yes);
        keep_hostname(yes);
        long_hostnames(off);
        use_time_recvd(yes);
        #log_fifo_size=number of lines logged
        log_fifo_size(12288);
        sync(0);
 };
######################################
#Source Section
#source for local data
source src {
        pipe("/proc/kmsg" log_prefix("kernel: "));
        unix-stream("/dev/log");
        internal();
};

 

#source for network devices
source net {
        udp();
};

 

#####################################
#Destination Section
#Standard destination
destination std {
        file("/var/log/$HOST/$FACILITY/$DAY"
                owner(root)
                group(root)
                perm(0600)
                dir_perm(0700)
                create_dirs(yes));
};

 

#Forward Destination
destination noc-web {
        udp("10.3.8.100" port(514));
};
#####################################
#log for src
log {
        source(src);
        destination(std);
};

 

#log for net
log {
        source(net);
        destination(std);
};

 

########END OF FILE########