[syslog-ng] remove_if_older()

anthony lineham anthony.lineham at alliedtelesis.co.nz
Tue Dec 19 23:21:31 CET 2006 


>>>> <Valdis.Kletnieks at vt.edu> 20/12/2006 10:39 a.m. >>>
>On Wed, 20 Dec 2006 09:52:05 +1300, anthony lineham said:
>> >From the description in the reference manual I was expecting
>> remove_if_older() to cause a destination file to be deleted once
the
>> file becomes older than the specified age, in seconds. However, this
is
>> not the behaviour I have observed. It seems that the age check is
only
>> made the first time the file is written too. I've had a quick look
>> through the code and it looks like the age check is only made in
>> affile_dw_init, which I assume is called when the file is first
opened.
>> This would be consistent with my observations.
>> 
>> Is this the intended behaviour?

>If it wasn't, you'd have the behavior of "nuke the logfile if
nobody's
>logged to it in the last N seconds".  Probably not the behavior you
want,
>because it would just suck.  Consider a server that spews a "I'm
crashing
>because XYZ failed" message, and then shuts up for 12 hours because
it
>hasn't been restarted.  You go to look for the message - and discover
that
>the file evaporated because it was older than 12*3600 seconds. 
Whoops. :)
>
>(Yes, the case I'm making up is probably a misconfig on multiple
grounds,
>but it demonstrates the sort of counter-intuitive behavior you'd
get...)
>
>Even more importantly - if the file is older than N seconds, it's
because
>no messages have *gone* there for N seconds.  This means that to get
rid
>of a 12-hour-unwritten log, you need a new event handler that sets
timer
>events and removes the file even when there *isn't* traffic - greatly
>adding to the code complexity.  A tree falling in the forest *will*
make
>a sound, if a requirement for it to fall is that somebody stop by with
an axe....

Ok, that makes a lot of sense. Although it does make me wonder what the
intended use 
of this option actually is.

This situation I'm working with is that I have a log file that is
receiving status messages periodically. The 
messages are incremental and I'm only interested in the latest one. The
advertised behaviour is that
it checks the age before wirting a new message. So, you can imagine the

prospect of being able to get the file to quietly rotate itself and
always having the latest info was quite appealing.

More information about the syslog-ng mailing list