RE: [syslog-ng] Syslog-ng log file overwrite
Hi Kevin, Thanks a lot for the information & help. Is there a way to include 'user name' or userid from which the log generated to each log? I coudnt find the macro (eg: $HOST) for user name/uid. Thanks, Rajeesh -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of K K Sent: Saturday, March 10, 2007 1:18 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-ng log file overwrite On 3/9/07, Padmanabhan, Rajeesh (GE Healthcare) <Rajeesh.Padmanabhan@ge.com> wrote:
Hi Valdis,
Thanks for the help. Could you please explain below questons?
1. Will the below format overwrites existing log file?
Unless you specify otherwise (using remove_if_older), if a file exists, it is opened for appending instead of being overwritten.
file("/logs/$HOST/$YEAR/$MONTH/messages-$YEAR-$MONTH$DAY");
In the above case, $YEAR is always unique, the directory and files will always have a unique name.
2. Is there a way to roate log file based on the size?
No size-based rotation is built into syslog-ng. You could write a script, but I find it easier to just have syslog-ng create many smaller files, and then either compress or purge these files using a cron job.
Idea is I don't want my log partition gets filled & alerts due to lacks of space :)
Running out of disk space is a risk. What I do is specify the destination like this: file("/var/log/remote/$HOST/$WEEKDAY/$HOUR" remove_if_older(259200) sync(60) ); Additionally, I have a cron job to compress older logs by as much as 98%: @midnight find /var/log/remote -type f -name '[0-2][0-9]' -ctime +3 -print0 |xargs -r -0 bzip2 -f Kevin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Sat, 2007-03-10 at 02:45 +0530, Padmanabhan, Rajeesh (GE Healthcare) wrote:
Hi Kevin,
Thanks a lot for the information & help.
Is there a way to include 'user name' or userid from which the log generated to each log? I coudnt find the macro (eg: $HOST) for user name/uid.
This information is not available in the syslog protocol currently, and because of this syslog-ng does not support it. Do you need this information for locally generated messages or messages that are received on a network? For local processes it should be possible to get the sender's credentials, at least on some of the platform that syslog-ng supports. What platform are you using? -- Bazsi
On Mon, 19 Mar 2007 18:38:30 BST, Balazs Scheidler said:
Do you need this information for locally generated messages or messages that are received on a network? For local processes it should be possible to get the sender's credentials, at least on some of the platform that syslog-ng supports. What platform are you using?
Note that as the Linux LSPP project has found out, "the sender's credentials" is a very squishy concept indeed. You already have a (admittedly possibly forged) process name/number in the message. The real gotcha is that the vast majority of the time, you already *know* the answer to this question - if it's sendmail, or ssh, or any one of the vast flock of daemon processes that do the majority of logging, it's "root" or "apache" or "cups" or similar. What you're often more interested in is "The identity of the user on who's behalf this message was generated". You already *know* that the message is from CUPS - what you want to know is which user's print job bombed and caused the message.
participants (3)
-
Balazs Scheidler
-
Padmanabhan, Rajeesh (GE Healthcare)
-
Valdis.Kletnieks@vt.edu