[syslog-ng] why i have to restart syslog to have the new apache log??

gatfi sami pfegatfi.sami at gmail.com
Thu Mar 12 06:55:56 CET 2009 

thank you
another thing please
i would like to ask you if it is possible to change the   TAG of sent
message
for example
give the  messages sent to a syslog server tag a value ( 0X11)
and then in the server filter on this tag
i am killing myself to tell my techer that the tag and priority flag are
assigned automaticly by syslog and he insistes on the fact that we can
change their value

thks
2009/3/11 ILLES, Marton <illes.marton at balabit.hu>

> On Wed, 2009-03-11 at 00:26 +0100, gatfi sami wrote:
> > thks
> > but i want the change bee sent in (real time) if we can use this term
> > because follow_freq(1) means that syslog need to check tchangee in the
> > fie every 1 second
> > is there any way to make it 0 second ====> detect changes in the
> > apache error log as they happen
> > thks
> >
>
> Hi,
>
> Real time is a tricky thing. There will be always some latency unless
> you configure your apache to  send logs to syslog-ng directly (over a
> pipe or fifo). Even pipes and fifos have a little latency though we
> usually ignore that.
>
> If you check from a file you can either lower the frequency of checking
> for changes or the PE has inotify support under linux to detect file
> changes. Lower the frequency though results in higher CPU load as
> syslog-ng will be busy checking, stat()-ing the file. To lower the
> frequency in 3.0, just set a smaller floating number for follow_freq().
>
> 760     | KW_FOLLOW_FREQ '(' FLOAT ')'      {
> last_reader_options->follow_freq = (long) ($3 * 1000); }
> 761     | KW_FOLLOW_FREQ '(' NUMBER ')'     {
> last_reader_options->follow_freq = ($3 * 1000); }
>
> to set it for 0.5 sec use follow_freq(0.5)
>
> On the other hand I think 1 sec latency should not be a problem, but
> logging through pipe is probably a better choice. Also apache can send
> error log directly to syslog.
>
> http://httpd.apache.org/docs/1.3/mod/core.html#errorlog
>
> cheers,
>
> Marton
>
> > 2009/3/10 Balazs Scheidler <bazsi at balabit.hu>
> >
> >         On Mon, 2009-03-09 at 02:36 +0100, gatfi sami wrote:
> >         > hi i am using syslog-ng 2.0.9.1 on open suse 11.0
> >         >
> >         > i configured this littele script
> >         in /etc/syslog-ng/syslog-ng.conf
> >         >
> >         >         source my_src { file("/var/log/apache2/error_log");
> >          };
> >         >
> >         >         #filter my_filter { };
> >         >
> >         >         destination
> >         my_dest{  file("/var/log/Sami/$HOST/messages"
> >         >         owner("root") group("root") perm(0640)
> >         dir_perm(0750)
> >         >         create_dirs(yes));
> >         >           };
> >         >
> >         >         log { source(my_src); #filter(my_filter);
> >         >         destination(my_dest); };
> >         > the problem is when i restart apache2 while using the tail
> >         > -f /var/log/Sami/$HOST/messages
> >         >
> >         > nothing happens i have to restart syslog-ng to see those
> >         errors
> >         >
> >         > by the way i stoped the apparmor to avoid a permission
> >         denied on the
> >         > destination driver
> >
> >
> >         Since you are using 2.0, you need to explicitly specify for
> >         syslog-ng
> >         that you want to poll the file for changes. You can do this
> >         via the
> >         follow-freq() option, e.g.
> >
> >         file("/var/log/apache2/error_log" follow_freq(1));
> >
> >         In 3.0, the default value for follow_freq() for regular files
> >         is 1
> >         seconds, so you wouldn't have to specify it explicitly.
> >
> >         --
> >         Bazsi
> >
> >
> >
> ______________________________________________________________________________
> >         Member info:
> >         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >         Documentation:
> >         http://www.balabit.com/support/documentation/?product=syslog-ng
> >         FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> --
> Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090312/6024dda0/attachment.htm

More information about the syslog-ng mailing list