[syslog-ng] Collect log from beginning incase central server's log file gets deleted.

sagar naravane sagar.naravane at gmail.com
Wed Oct 24 12:28:57 CEST 2012 

Hi,

Below is my setup (see the config details). Issue i am facing is :

Lets say on central servers apache logs are collected till 2:00 PM for
current date. Incase if i delete the log file on central server, a new file
gets created and starts collecting the log after the delete time ie 2:00
PM. What i want to achieve is that in such an event where the log files
gets deleted.. the new log-file will collect the log from the beginning of
the day ie 12:00 AM. Is this possible ?



*************** client config ***********************

@include "scl.conf"

options {
    keep_hostname(yes);
    log_fifo_size(100000)
};


rewrite r_setfilename {
    set(
        "$FILE_NAME",
        value(".SDATA.file at 18372.4.name")
     );
};

rewrite r_apache_basepath_www-dev01 {
  subst(
        "/apps/log/apache/www-dev01/",
        "",
        value(".SDATA.file at 18372.4.name")
        type("string")
        flags("prefix")
       );
};

source s_apache_www-dev01 {
    file("/apps/log/apache/www-dev01/*.log"
        program_override("apache/www/dev01")
        flags(no-parse)
        recursive(yes)
    );
};

destination d_server {
    syslog("x.x.x.x" transport("tcp") port(514));
};

log {
    source(s_apache_www-dev01);
    rewrite(r_setfilename);
    rewrite(r_apache_basepath_www-dev01);
    destination(d_server);
};

*************** Server Config ************

@include "scl.conf"

options {
    create_dirs (yes);
    dir_perm(0755);
    dir_group(60030);
    dir_owner(wwwtools);
    perm(0755);
    owner(wwwtools);
    group(60030);
    keep_hostname(yes);
    threaded(yes);
    log_msg_size(5000000);

};


source s_network {
   syslog(ip(0.0.0.0)
        port(514) transport("tcp") max-connections(200));
};

filter f_apache_www-dev01 {
    program('apache/www/dev01');
};

destination d_central {
    file("/apps/log/syslog-ng/${PROGRAM}/${YEAR}${MONTH}${DAY}/${HOST}/${.
SDATA.file at 18372.4.name}"
    template("${MSGONLY}\n")
    );
};

log {
    source(s_network);
    filter(f_apache_www-dev01);
    destination(d_central);
};





-- 
Regards,

Sagar Naravane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121024/fd6ae90b/attachment.htm

More information about the syslog-ng mailing list