[syslog-ng] source file wildcard problems

[Balazs Scheidler]

On Wed, 2009-03-25 at 10:04 -0700, Dan Gunter wrote:
> Hi,
> 
> I am having trouble getting the new file wildcard option to work. I am  
> testing it with the following very simple file-to-file configuration:
> 
> @version: 3.0
> options {
>     time_sleep(500);  # polling interval, in ms (make this once per  
> second)
>     use_fqdn(yes);    # use fully qualified domain names
>     ts_format(iso);   # use ISO8601 timestamps
>     # for normal load
>     flush_lines (10); # number of lines to buffer before writing to disk
>     flush_timeout (1000); # 1 second timeout
>     log_fifo_size(100);
>     stats_freq(3600);  # number of seconds between syslog-ng internal  
> stats events; these are useful
>                        # for ensuring syslog-ng is not getting  
> overloaded
> };
> # Debugging
> source syslog_ng { internal(); };
> destination debug_dest { file("/u/dang/local/var/log/syslog-ng- 
> internal.log" perm(0644) ); };
> log { source(syslog_ng); destination(debug_dest); };
> # Other
> source simple_src { file("/u/dang/local/var/log/myfile.log"  
> follow_freq(1) flags(no-parse) program_override("my_log ") ); };
> source test_src { file ("/u/dang/local/var/log/test*.log"  
> follow_freq(1) flags(no-parse) program_override("test_log ") ); };
> destination test_dest { file ("/u/dang/local/var/log/collected.log"  
> perm(0644) ); };
> log { source(simple_src); destination(test_dest);  };
> log { source(test_src); destination(test_dest);  };
> 
> The behavior I am seeing is that anything appended to the static file  
> "myfile.log" shows up in "collected.log" a second later. But new files  
> of the pattern "test-1.log", etc. are never forwarded, and if there  
> are existing files of this name at startup they are ignored. The  
> internal log says:
> 
> 2009-03-25T10:02:20-07:00 host.org syslog-ng[29624]: Follow-mode file  
> source not found, deferring open; filename='/u/dang/local/var/log/ 
> test*.log'
> 2009-03-25T10:02:20-07:00 host.org syslog-ng[29626]: syslog-ng  
> starting up; version='3.0.1'
> 
> My syslog-ng version is:
> 
> -bash-3.1$ syslog-ng -V
> syslog-ng 3.0.1
> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng- 
> ose--mainline--3.0#master#93a342dae3a2b0cb15811d0c34ea7f58b3fba14e
> Compile-Date: Mar 25 2009 09:08:54
> Enable-Threads: off
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-Sun-Door: off
> Enable-IPv6: on
> Enable-Spoof-Source: off
> Enable-TCP-Wrapper: on
> Enable-SSL: on
> Enable-SQL: off
> Enable-Linux-Caps: off
> Enable-Pcre: off

Currently the wildcard based file monitoring is only part of the Premium
Edition, sorry. The Open Source edition can only read individual files,
and you need to specify the full pathname, you cannot use globbing.

-- 
Bazsi