So according to https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng- ose-guide-admin/html/example-logrotate.html using this format: destination d_sorted { file("/var/log/remote/${HOST}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); }; I can create logs folders and files based on the timestamp. And this is working nicely for us... With a caveat. We are getting a TON of logs, so we want to rotate hourly and archive quickly. My config is this: destination d_msg { file("/var/log/message_${YEAR} _${MONTH}_${DAY}_${HOUR}.log"); }; But instead of creating one file per hour according to the time the event is received, it is creating files based on the timestamp of the event (which, while useful for discovering and tracking down machines with time synch problems, is not so useful for managing log files on the syslog server). Is there a way to make it create files based on the time the event is received and NOT the timestamp of the event? Thanks.
Hi, I believe you are looking for the R_HOUR macro ( https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... ) HTH, Robert On Mon, Nov 20, 2017 at 4:29 PM, craig bowser <reswob10@gmail.com> wrote:
So according to
https://www.balabit.com/documents/syslog-ng-ose-latest- guides/en/syslog-ng-ose-guide-admin/html/example-logrotate.html
using this format: destination d_sorted { file("/var/log/remote/${HOST}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); };
I can create logs folders and files based on the timestamp. And this is working nicely for us... With a caveat.
We are getting a TON of logs, so we want to rotate hourly and archive quickly.
My config is this: destination d_msg { file("/var/log/message_${YEAR} _${MONTH}_${DAY}_${HOUR}.log"); };
But instead of creating one file per hour according to the time the event is received, it is creating files based on the timestamp of the event (which, while useful for discovering and tracking down machines with time synch problems, is not so useful for managing log files on the syslog server).
Is there a way to make it create files based on the time the event is received and NOT the timestamp of the event?
Thanks.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks. Will try that one On Nov 20, 2017 10:32 AM, "Fekete, Róbert" <robert.fekete@balabit.com> wrote:
Hi,
I believe you are looking for the R_HOUR macro (https://www.balabit.com/ documents/syslog-ng-ose-latest-guides/en/syslog-ng- ose-guide-admin/html/date-macros.html)
HTH,
Robert
On Mon, Nov 20, 2017 at 4:29 PM, craig bowser <reswob10@gmail.com> wrote:
So according to
https://www.balabit.com/documents/syslog-ng-ose-latest-guide s/en/syslog-ng-ose-guide-admin/html/example-logrotate.html
using this format: destination d_sorted { file("/var/log/remote/${HOST}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); };
I can create logs folders and files based on the timestamp. And this is working nicely for us... With a caveat.
We are getting a TON of logs, so we want to rotate hourly and archive quickly.
My config is this: destination d_msg { file("/var/log/message_${YEAR} _${MONTH}_${DAY}_${HOUR}.log"); };
But instead of creating one file per hour according to the time the event is received, it is creating files based on the timestamp of the event (which, while useful for discovering and tracking down machines with time synch problems, is not so useful for managing log files on the syslog server).
Is there a way to make it create files based on the time the event is received and NOT the timestamp of the event?
Thanks.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
craig bowser
-
Fekete, Róbert