[syslog-ng] Tailing a file

[Sandor Geller]

Hi,

On Thu, Jan 13, 2011 at 7:32 PM,  <maillists0 at gmail.com> wrote:
> I need to tail a bunch of application logs that aren't in syslog
> format and send them to a remote server. I've configured this:
>
> source s_tail { file(/var/log/chaotic_debug_log follow_freq(1)
> flags(no-parse)); };
> destination remote { tcp("my_syslogserver.com" port(514)); };
> log { source(s_tail); destination(remote); };
>
> syslog-ng starts successfully and doesn't complain,  but nothing
> happens... no logs appear remotely. I did a tcpdump on the syslog
> server and nothing is showing up from this box, so I did an strace on
> syslog-ng and didn't see the log files being opened. Running lsof on
> those files didn't show anything but the writing program. syslog-ng
> just isn't reading the files. Is something wrong with my config? How
> might I troubleshoot this? The syslog-ng version is 2.1.4 on CentOS
> 5.4.

Could you post your configfile? In theory the above should work. BTW
using the latest syslog-ng versions you could also use custom parsers
for reading logfiles.

> Also, to have syslog tail multiple files, do I just add multiple
> entries, like this?
>
> source s_tail { file(/var/log/chaotic_debug_log1 follow_freq(1)
> flags(no-parse)); };
> source s_tail { file(/var/log/chaotic_debug_log2 follow_freq(1)
> flags(no-parse)); };
> source s_tail { file(/var/log/chaotic_debug_log3 follow_freq(1)
> flags(no-parse)); };

This won't work because you're redefining the same source so the last
definition wins. Either group all file() statements into a single
source definition or create a unique source for every files. I prefer
the former (otherwise a lot of extra log sections has to get created),
so the source definition would look like

source s_tailedfiles {
  file("myfile1" follow_freq(1));
  file("myfile2" follow_freq(1));
  ...
};


Regards,

Sandor