60 second delay when log rotates, can this be avoided?
I have a log which is received over TCP and is being written to a local file name which changes (with syslog ng macros) once per hour. I am also sending that same stream to a program. When the log rotates, all data seems to stop flowing for exactly 60 seconds, both to the log file and to program. Is there any way to change this?
On 3/12/07, Michael Toy <mtoy@liveops.com> wrote:
I have a log which is received over TCP and is being written to a local file name which changes (with syslog ng macros) once per hour.
Can you post to the list with: 1) The version of syslog-ng. 2) The OS and version where the syslog-ng listener runs. 3) Your syslog-ng.conf, or at least as much as you are willing to share.
I am also sending that same stream to a program.
When the log rotates, all data seems to stop flowing for exactly 60 seconds, both to the log file and to program.
This doesn't sound right, unless you are doing something odd with syslog-ng tunables. Kevin
I am sorry. I looked at this problem off and on for a couple of days, came in this morning not thinking clearly, and sent my message. After a cup of coffee and a little better thinking I discovered that the 60 pause is in the data source. On Mar 12, 2007, at 3:17 PM, K K wrote:
On 3/12/07, Michael Toy <mtoy@liveops.com> wrote:
I have a log which is received over TCP and is being written to a local file name which changes (with syslog ng macros) once per hour.
Can you post to the list with:
1) The version of syslog-ng. 2) The OS and version where the syslog-ng listener runs. 3) Your syslog-ng.conf, or at least as much as you are willing to share.
I am also sending that same stream to a program.
When the log rotates, all data seems to stop flowing for exactly 60 seconds, both to the log file and to program.
This doesn't sound right, unless you are doing something odd with syslog-ng tunables.
Kevin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
When I add option "overwrite_if_older(604800)" to a destination file in syslog-ng.conf, it causes a syntax error. I also tried option "remove_if_older(604800)", and it also caused a syntax error. Can anyone see what's wrong? # syslog-ng -V syslog-ng 2.0rc4 # syslog-ng -dvFs syntax error at 6 # sed -n 6p syslog-ng.conf destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) # cat syslog-ng.conf options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) owner(root) group(cast_msgsecure) perm(0640)); }; destination logger1 { tcp("10.11.12.13" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; destination logger2 { tcp("10.12.13.14" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(logger1); destination(logger2); destination(messages); };
Hi Simon, It looks like you're missing a few of these: ';' '}' Regards Anthony
<simonst@wellsfargo.com> 03/13/07 12:10 PM >>> When I add option "overwrite_if_older(604800)" to a destination file in syslog-ng.conf, it causes a syntax error. I also tried option "remove_if_older(604800)", and it also caused a syntax error.
Can anyone see what's wrong? # syslog-ng -V syslog-ng 2.0rc4 # syslog-ng -dvFs syntax error at 6 # sed -n 6p syslog-ng.conf destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) # cat syslog-ng.conf options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) owner(root) group(cast_msgsecure) perm(0640)); }; destination logger1 { tcp("10.11.12.13" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; destination logger2 { tcp("10.12.13.14" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(logger1); destination(logger2); destination(messages); };
I'm still getting a syntax error when I add "overwrite_if_older(604800)" to a file driver, in my syslog-ng 2.0rc4. One person suggested adding semicolons, but that made no difference. I searched the source, but couldn't find "overwrite_if_older" in any *.c or *.h files. Does anyone know if that parm is supported? It's described in Table 3.6. "Available options for file()", section 3.2.1 of the syslog-ng 2.0 reference manual. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Simons, Tom Sent: Monday, March 12, 2007 4:10 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] overwrite_if_older() option causes syntax error When I add option "overwrite_if_older(604800)" to a destination file in syslog-ng.conf, it causes a syntax error. I also tried option "remove_if_older(604800)", and it also caused a syntax error. Can anyone see what's wrong? # syslog-ng -V syslog-ng 2.0rc4 # syslog-ng -dvFs syntax error at 6 # sed -n 6p syslog-ng.conf destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) # cat syslog-ng.conf options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$WEEKDAY" overwrite_if_older(604800) owner(root) group(cast_msgsecure) perm(0640)); }; destination logger1 { tcp("10.11.12.13" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; destination logger2 { tcp("10.12.13.14" port(1234) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(logger1); destination(logger2); destination(messages); };
On Fri, 2007-03-16 at 13:22 -0500, simonst@wellsfargo.com wrote:
I'm still getting a syntax error when I add "overwrite_if_older(604800)" to a file driver, in my syslog-ng 2.0rc4.
One person suggested adding semicolons, but that made no difference.
I searched the source, but couldn't find "overwrite_if_older" in any *.c or *.h files.
Does anyone know if that parm is supported? It's described in Table 3.6. "Available options for file()", section 3.2.1 of the syslog-ng 2.0 reference manual.
you need a newer version, I can't remember right now which one, but if you check out the NEWS file in the root of the source distribution it should contain an entry when it was added. (2.0.2 IIRC) -- Bazsi
My syslog-ng (2.0.2) client works fine with a tcp destination: destination centralLog { tcp("10.11.12.13" port(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; but gets a syntax error when I add localip() and localport(): destination centralLog { tcp("10.11.12.13" port(5432); localip(10.9.8.7) localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; I've tried various combinations of localip() & localport(), and also semicolons. Can anyone see what's wrong? Here's the entire syslog-ng.conf: options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$MON$DAY" owner(root) group(abcde) perm(0644)); }; destination centralLog { tcp("10.11.12.13" port(5432) localip("10.9.8.7"); localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; destination centralLog2 { tcp("10.21.22.23" port(5432) localip("10.9.8.7") localport(5432) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(centralLog); destination(centralLog2); destination(messages); };
simonst@wellsfargo.com wrote:
My syslog-ng (2.0.2) client works fine with a tcp destination:
destination centralLog { tcp("10.11.12.13" port(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
but gets a syntax error when I add localip() and localport():
destination centralLog { tcp("10.11.12.13" port(5432); localip(10.9.8.7) localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
The basic syntax of the line is wrong in terms of brackets and semicolons destination centralLog { tcp("10.11.12.13" port(5432) localip(10.9.8.7) localport(5432) template("$UNIXTIME $HOST $MESSAGE\n"); }; A single *network* destination is all done within one set of (); and multiple of these can be in one destination spec destination centralLog { tcp(...); tcp(...); tcp(...); }; where the ... contains all of the options/settings for the single *network* destination. Evan.
I've tried various combinations of localip() & localport(), and also semicolons. Can anyone see what's wrong?
Here's the entire syslog-ng.conf:
options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$MON$DAY" owner(root) group(abcde) perm(0644)); }; destination centralLog { tcp("10.11.12.13" port(5432) localip("10.9.8.7"); localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; destination centralLog2 { tcp("10.21.22.23" port(5432) localip("10.9.8.7") localport(5432) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(centralLog); destination(centralLog2); destination(messages); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
Sorry, I forgot the last ) in the example destination centralLog { tcp("10.11.12.13" port(5432) localip(10.9.8.7) localport(5432) template("$UNIXTIME $HOST $MESSAGE\n") ); }; Evan. Evan Rempel wrote:
simonst@wellsfargo.com wrote:
My syslog-ng (2.0.2) client works fine with a tcp destination: destination centralLog { tcp("10.11.12.13" port(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
but gets a syntax error when I add localip() and localport():
destination centralLog { tcp("10.11.12.13" port(5432); localip(10.9.8.7) localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
The basic syntax of the line is wrong in terms of brackets and semicolons
destination centralLog { tcp("10.11.12.13" port(5432) localip(10.9.8.7) localport(5432) template("$UNIXTIME $HOST $MESSAGE\n"); };
A single *network* destination is all done within one set of (); and multiple of these can be in one destination spec
destination centralLog { tcp(...); tcp(...); tcp(...); };
where the ... contains all of the options/settings for the single *network* destination.
Evan.
I've tried various combinations of localip() & localport(), and also semicolons. Can anyone see what's wrong?
Here's the entire syslog-ng.conf:
options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$MON$DAY" owner(root) group(abcde) perm(0644)); }; destination centralLog { tcp("10.11.12.13" port(5432) localip("10.9.8.7"); localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; destination centralLog2 { tcp("10.21.22.23" port(5432) localip("10.9.8.7") localport(5432) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(centralLog); destination(centralLog2); destination(messages); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
Maybe I'm misunderstanding the semicolons, but I intended the tcp(...) to contain the localip() & localport() ip address, in addition to the usual ip address and port of the target server. These syslog-ng tcpip connections are running with IPSec encryption, and now I'd like to lock in the tcp client-side port & interface instead of defaulting to 0.0.0.0 and a dynamically-assigned port. Where should any semicolons go in: tcp( "..." port(..) localip(..) localport(..) template(....) ) -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Thursday, March 29, 2007 2:23 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Localport() & localip() cause syntax error simonst@wellsfargo.com wrote:
My syslog-ng (2.0.2) client works fine with a tcp destination:
destination centralLog { tcp("10.11.12.13" port(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
but gets a syntax error when I add localip() and localport():
destination centralLog { tcp("10.11.12.13" port(5432); localip(10.9.8.7) localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); };
The basic syntax of the line is wrong in terms of brackets and semicolons destination centralLog { tcp("10.11.12.13" port(5432) localip(10.9.8.7) localport(5432) template("$UNIXTIME $HOST $MESSAGE\n"); }; A single *network* destination is all done within one set of (); and multiple of these can be in one destination spec destination centralLog { tcp(...); tcp(...); tcp(...); }; where the ... contains all of the options/settings for the single *network* destination. Evan.
I've tried various combinations of localip() & localport(), and also semicolons. Can anyone see what's wrong?
Here's the entire syslog-ng.conf:
options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; destination messages { file("/var/log/messages.$MON$DAY" owner(root) group(abcde) perm(0644)); }; destination centralLog { tcp("10.11.12.13" port(5432)
localip("10.9.8.7");
localport(5432); template("$UNIXTIME $HOST $MESSAGE\n"); ); }; destination centralLog2 { tcp("10.21.22.23" port(5432) localip("10.9.8.7") localport(5432) template("$UNIXTIME $HOST $MESSAGE\n") ); }; log { source(src); source(kernsrc); destination(centralLog); destination(centralLog2); destination(messages); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (6)
-
anthony lineham
-
Balazs Scheidler
-
Evan Rempel
-
K K
-
Michael Toy
-
simonst@wellsfargo.com