Syslog-ng log file rollover question
Hi all, I am wondering whether anyone here knows how to config syslog-ng to perform log file rollover. I was told that I can roll over a log file in syslog-ng by configuring syslog-ng in a format which includes time related macroes, such as $MONTH, $DAY, $HOUR, $MIN. For example destination snort { file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); }; In this case, the log file should roll over to a new file every 1 minute. However, I found it doesn't work and syslog-ng keeps appending its received syslog message into a log file, for example snort-08091208. Does anyone know how to do it or figure out what I have done wrong? Or does syslog-ng support the log file rollover? Thanks! Xiaodong
Does anyone know how to do it or figure out what I have done wrong? Or does syslog-ng support the log file rollover?
Most programs don't rotate logs. The usual Unix way is to send the process a SIGHUP, and it will close and reopen its log file (as well as re-read its config file). There's no accuracy guarantee though, and done every minute will put a lid on performance. You're better off post-processing it into single files. -- () ASCII Ribbon Campaign /\ against HTML email
On Wed, 2004-12-01 at 21:55, Xiaodong Lin wrote:
Hi all,
I am wondering whether anyone here knows how to config syslog-ng to perform log file rollover. I was told that I can roll over a log file in syslog-ng by configuring syslog-ng in a format which includes time related macroes, such as $MONTH, $DAY, $HOUR, $MIN. For example
destination snort { file("/var/snort/snort-$MONTH$DAY$HOUR$MIN"); };
In this case, the log file should roll over to a new file every 1 minute. However, I found it doesn't work and syslog-ng keeps appending its received syslog message into a log file, for example snort-08091208.
Does anyone know how to do it or figure out what I have done wrong? Or does syslog-ng support the log file rollover?
it should work, however the macros referenced above use the timestamp found in the log message itself, thus if there is a timestamp with invalid stamp you might see messages appearing in wrong files. You might want to check out the S_ and R_ versions of the macros above. (one refers to the timestamp of the message, the other the time the message was received by syslog-ng) -- Bazsi
participants (3)
-
Balazs Scheidler
-
scott
-
Xiaodong Lin