[syslog-ng] why i have to restart syslog to have the new apache log??
ILLES, Marton
illes.marton at balabit.hu
Wed Mar 11 08:27:54 CET 2009
On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
> thks
> but i want the change bee sent in (real time) if we can use this term
> because follow_freq(1) means that syslog need to check tchangee in the
> fie every 1 second
> is there any way to make it 0 second ====> detect changes in the
> apache error log as they happen
> thks
>
Hi,
Real time is a tricky thing. There will be always some latency unless
you configure your apache to send logs to syslog-ng directly (over a
pipe or fifo). Even pipes and fifos have a little latency though we
usually ignore that.
If you check from a file you can either lower the frequency of checking
for changes or the PE has inotify support under linux to detect file
changes. Lower the frequency though results in higher CPU load as
syslog-ng will be busy checking, stat()-ing the file. To lower the
frequency in 3.0, just set a smaller floating number for follow_freq().
760 | KW_FOLLOW_FREQ '(' FLOAT ')' { last_reader_options->follow_freq = (long) ($3 * 1000); }
761 | KW_FOLLOW_FREQ '(' NUMBER ')' { last_reader_options->follow_freq = ($3 * 1000); }
to set it for 0.5 sec use follow_freq(0.5)
On the other hand I think 1 sec latency should not be a problem, but
logging through pipe is probably a better choice. Also apache can send
error log directly to syslog.
http://httpd.apache.org/docs/1.3/mod/core.html#errorlog
cheers,
Marton
> 2009/3/10 Balazs Scheidler <bazsi at balabit.hu>
>
> On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote:
> > hi i am using syslog-ng 2.0.9.1 on open suse 11.0
> >
> > i configured this littele script
> in /etc/syslog-ng/syslog-ng.conf
> >
> > source my_src { file("/var/log/apache2/error_log");
> };
> >
> > #filter my_filter { };
> >
> > destination
> my_dest{ file("/var/log/Sami/$HOST/messages"
> > owner("root") group("root") perm(0640)
> dir_perm(0750)
> > create_dirs(yes));
> > };
> >
> > log { source(my_src); #filter(my_filter);
> > destination(my_dest); };
> > the problem is when i restart apache2 while using the tail
> > -f /var/log/Sami/$HOST/messages
> >
> > nothing happens i have to restart syslog-ng to see those
> errors
> >
> > by the way i stoped the apparmor to avoid a permission
> denied on the
> > destination driver
>
>
> Since you are using 2.0, you need to explicitly specify for
> syslog-ng
> that you want to poll the file for changes. You can do this
> via the
> follow-freq() option, e.g.
>
> file("/var/log/apache2/error_log" follow_freq(1));
>
> In 3.0, the default value for follow_freq() for regular files
> is 1
> seconds, so you wouldn't have to specify it explicitly.
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
More information about the syslog-ng
mailing list