[syslog-ng] Syslog-ng log file overwrite

Fri Mar 9 22:15:05 CET 2007

Hi Kevin,

Thanks a lot for the information & help. 

Is there a way to include 'user name' or userid from which the log
generated to each log?  I coudnt find the macro (eg: $HOST) for user
name/uid.

Thanks,
Rajeesh

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of K K
Sent: Saturday, March 10, 2007 1:18 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng log file overwrite

On 3/9/07, Padmanabhan, Rajeesh (GE Healthcare)
<Rajeesh.Padmanabhan at ge.com> wrote:
> Hi Valdis,
>
> Thanks for the help. Could you please explain below questons?
>
> 1. Will the below format overwrites existing log file?

Unless you specify otherwise (using remove_if_older), if a file exists,
it is opened for appending instead of being overwritten.

> file("/logs/$HOST/$YEAR/$MONTH/messages-$YEAR-$MONTH$DAY");

In the above case, $YEAR is always unique, the directory and files will
always have a unique name.

> 2. Is there a way to roate log file based on the size?

No size-based rotation is built into syslog-ng.  You could write a
script, but I find it easier to just have syslog-ng create many smaller
files, and then either compress or purge these files using a cron job.

> Idea is I don't want my log partition gets filled & alerts due to 
> lacks of space :)

Running out of disk space is a risk.

What I do is specify the destination like this:

      file("/var/log/remote/$HOST/$WEEKDAY/$HOUR"
remove_if_older(259200) sync(60) );

Additionally, I have a cron job to compress older logs by as much as
98%:

     @midnight find /var/log/remote -type f -name '[0-2][0-9]' -ctime
+3 -print0 |xargs -r -0 bzip2 -f

Kevin
_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html