[syslog-ng] log file size limit

Sergei Zhirikov sfzhi at yahoo.com
Mon Jul 25 20:42:05 CEST 2011 

On 2011-07-25 20:03, Gergely Nagy wrote:
> On Mon, Jul 25, 2011 at 19:58, Sergei Zhirikov<sfzhi at yahoo.com>  wrote:
>> On 2011-07-25 17:50, William Tambellini wrote:
>>> Dear Syslog-ng team,
>>>
>>> We are currently evaluating syslog-ng in order to satisfy some requests from our customers regarding logs from our software.
>>> One of their requests is to limit log file size using some kind of rotation algo : if size>  6Mo then rotate to another file.
>>> We have found some options in file destination like fifo buffer control but nothing about files rotation.
>>> Is there anything for that kind of feature ?
>>>
>>
>> I have a patch that does something of that kind. When the log file grows above certain size syslog-ng switches to a new one and renames the old one. Further processing (such as compression) should be done externally.
>>
>> I posted that patch in this list quite some time ago, but as far as I can tell, it went unnoticed...
>
> Can you please post it again? I'd love to have a look.
>

Attached.
The patch is against syslog-ng-3.1.4, but the idea is pretty straight
forward, so I don't expect it to be difficult to port to a newer version.

The patch introduces two new configuration options:
'file_size_limit' to be used inside global 'options' and 'size_limit' to
be used inside 'file' destination. Each option specifies log file size
limit in bytes. If the global option is set to a value greater than zero
it applies to all 'file' destinations. A particular file destination can
remove the limit by setting it to zero. For example:

# set the global file size limit
options { file_size_limit(123456); };

# set a different size limit for a particular file destination
destination log1 { file("/var/log/log1.log" size_limit(456789)); };

# remove size limit for a particular file destination
# (useful only if there is a global size limit set)
destination log2 { file("/var/log/log2.log" size_limit(0)); };

The file size is checked after writing each log message and if the file
has grown up to or above the size limit the file is renamed and a new
empty file is created to continue logging to. The name format the
"overgrown" log file is renamed to is "<p>-<s>.<m>-<r>", where <p> - the
full path and name of the original log file, <s> - current time in UNIX
format (seconds since Jan 1, 1970), <m> - fractional part of the current
time (microseconds, 6 digits), <r> - a random number (10 digits).

The intended use is to have incrond or another similar mechanism to
detect when there is a new "renamed" log file and to process it in
whatever way necessary (gzip it, parse it, send it my email, etc.).

--
Sergei.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: syslog-ng-3.1.4-sizelimit.patch
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110725/f10182c4/attachment-0002.txt

More information about the syslog-ng mailing list