On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
thks but i want the change bee sent in (real time) if we can use this term because follow_freq(1) means that syslog need to check tchangee in the fie every 1 second is there any way to make it 0 second ====> detect changes in the apache error log as they happen thks
Hi, Real time is a tricky thing. There will be always some latency unless you configure your apache to send logs to syslog-ng directly (over a pipe or fifo). Even pipes and fifos have a little latency though we usually ignore that. If you check from a file you can either lower the frequency of checking for changes or the PE has inotify support under linux to detect file changes. Lower the frequency though results in higher CPU load as syslog-ng will be busy checking, stat()-ing the file. To lower the frequency in 3.0, just set a smaller floating number for follow_freq(). 760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); } 761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); } to set it for 0.5 sec use follow_freq(0.5) On the other hand I think 1 sec latency should not be a problem, but logging through pipe is probably a better choice. Also apache can send error log directly to syslog. http://httpd.apache.org/docs/1.3/mod/core.html#errorlog cheers, Marton
2009/3/10 Balazs Scheidler <bazsi@balabit.hu>
On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote: > hi i am using syslog-ng 2.0.9.1 on open suse 11.0 > > i configured this littele script in /etc/syslog-ng/syslog-ng.conf > > source my_src { file("/var/log/apache2/error_log"); }; > > #filter my_filter { }; > > destination my_dest{ file("/var/log/Sami/$HOST/messages" > owner("root") group("root") perm(0640) dir_perm(0750) > create_dirs(yes)); > }; > > log { source(my_src); #filter(my_filter); > destination(my_dest); }; > the problem is when i restart apache2 while using the tail > -f /var/log/Sami/$HOST/messages > > nothing happens i have to restart syslog-ng to see those errors > > by the way i stoped the apparmor to avoid a permission denied on the > destination driver
Since you are using 2.0, you need to explicitly specify for syslog-ng that you want to poll the file for changes. You can do this via the follow-freq() option, e.g.
file("/var/log/apache2/error_log" follow_freq(1));
In 3.0, the default value for follow_freq() for regular files is 1 seconds, so you wouldn't have to specify it explicitly.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D