[syslog-ng] remove_if_older()

[Valdis.Kletnieks at vt.edu]

On Wed, 20 Dec 2006 09:52:05 +1300, anthony lineham said:
> >From the description in the reference manual I was expecting
> remove_if_older() to cause a destination file to be deleted once the
> file becomes older than the specified age, in seconds. However, this is
> not the behaviour I have observed. It seems that the age check is only
> made the first time the file is written too. I've had a quick look
> through the code and it looks like the age check is only made in
> affile_dw_init, which I assume is called when the file is first opened.
> This would be consistent with my observations.
> 
> Is this the intended behaviour?

If it wasn't, you'd have the behavior of "nuke the logfile if nobody's
logged to it in the last N seconds".  Probably not the behavior you want,
because it would just suck.  Consider a server that spews a "I'm crashing
because XYZ failed" message, and then shuts up for 12 hours because it
hasn't been restarted.  You go to look for the message - and discover that
the file evaporated because it was older than 12*3600 seconds.  Whoops. :)

(Yes, the case I'm making up is probably a misconfig on multiple grounds,
but it demonstrates the sort of counter-intuitive behavior you'd get...)

Even more importantly - if the file is older than N seconds, it's because
no messages have *gone* there for N seconds.  This means that to get rid
of a 12-hour-unwritten log, you need a new event handler that sets timer
events and removes the file even when there *isn't* traffic - greatly
adding to the code complexity.  A tree falling in the forest *will* make
a sound, if a requirement for it to fall is that somebody stop by with an axe....


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20061219/fdc07d98/attachment.pgp