How to roll journald cursor in persist file
Hello, I am running syslog-ng 3.7.1 and journald v210. The goal I want to reach is the following. I would like to replicate local system logs to remote endpoint using standard UDP protocol. So, I've just disabled all destinations except the following one: destination logserver { udp("10.0.0.47" port(514)); }; log { source(src); destination(logserver); }; The issue is the following. It seems that syslog-ng 3.7.1 uses journald natively for system() source. And I like it. The issue is that when I start syslog-ng it tries to sync all existing local journald data (about 5 GB of compressed journald data, 1.5 years of logs) from the beginning. I found in modules/systemd-journal/journal-reader.c that syslog-ng stores journald cursor in the persists file. I would like to point the cursor to the end of journald database in order to avoid unneeded log sync. The question is how could I do that in opensource syslog-ng version?
31.05.2016 13:04, Matwey V. Kornilov пишет:
Hello,
I am running syslog-ng 3.7.1 and journald v210. The goal I want to reach is the following. I would like to replicate local system logs to remote endpoint using standard UDP protocol.
So, I've just disabled all destinations except the following one:
destination logserver { udp("10.0.0.47" port(514)); }; log { source(src); destination(logserver); };
The issue is the following. It seems that syslog-ng 3.7.1 uses journald natively for system() source. And I like it. The issue is that when I start syslog-ng it tries to sync all existing local journald data (about 5 GB of compressed journald data, 1.5 years of logs) from the beginning.
I found in modules/systemd-journal/journal-reader.c that syslog-ng stores journald cursor in the persists file. I would like to point the cursor to the end of journald database in order to avoid unneeded log sync.
The question is how could I do that in opensource syslog-ng version?
I've written simple yet useful application which solved the problem: https://github.com/matwey/syslog-ng-persist
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Thu, Jun 02, 2016 at 12:26:48PM +0300, Matwey V. Kornilov wrote:
I've written simple yet useful application which solved the problem:
Awesome, that *will* be useful for my testing purposes thanks!
It really is cool, thanks for this tool. Nevertheless, the journal source should have something to suppress old entries. Can you file an issue about that? Thanks On Jun 2, 2016 11:27 AM, "Matwey V. Kornilov" <matwey.kornilov@gmail.com> wrote:
31.05.2016 13:04, Matwey V. Kornilov пишет:
Hello,
I am running syslog-ng 3.7.1 and journald v210. The goal I want to reach is the following. I would like to replicate local system logs to remote endpoint using standard UDP protocol.
So, I've just disabled all destinations except the following one:
destination logserver { udp("10.0.0.47" port(514)); }; log { source(src); destination(logserver); };
The issue is the following. It seems that syslog-ng 3.7.1 uses journald natively for system() source. And I like it. The issue is that when I start syslog-ng it tries to sync all existing local journald data (about 5 GB of compressed journald data, 1.5 years of logs) from the beginning.
I found in modules/systemd-journal/journal-reader.c that syslog-ng stores journald cursor in the persists file. I would like to point the cursor to the end of journald database in order to avoid unneeded log sync.
The question is how could I do that in opensource syslog-ng version?
I've written simple yet useful application which solved the problem:
https://github.com/matwey/syslog-ng-persist
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Fabien Wernli
-
Matwey V. Kornilov
-
Scheidler, Balázs