0

The docs for syslog 3.1.1 show an option on the file destination that I'd like to use to create logs that overwrite themselves daily, hourly or minutely (that would be a small log).

destination separate_host_1.2.3.4 { file("/home/archive/temporallogs/1.2.3.4_${SEC}.log" template(logmon) owner("nobody") group("sshusers") perm(0640) overwrite-if-older(1) ); };

I think this should work, especially considering this (from the docs):

In combination with for example the ${WEEKDAY} macro, this can be used for simple log rotation, in case not all history has to be kept.

The number in the overwrite-if-older command is seconds and if I restart syslog, it does work.

If there's something weird with filehandles and syslog that doesn't work every minute I'll give up this, as it is an edge case I'm just using it for testing (so I don't have to wait an hour). But if this is supposed to work, I'd like to know if I'm missing something.

Peter Turner
  • 1,654
  • If you can answer this question, then I think you can answer this question – Peter Turner Aug 14 '17 at 21:49
  • How about not creating the file logs, and send them to a remote system? – Rui F Ribeiro Aug 14 '17 at 21:53
  • @rui that, unfortunately, is a secret unbeknownst to me. We are forwarding actionable information off to another machine though, so they're not totally useless. – Peter Turner Aug 14 '17 at 22:00
  • http://www.monitis.com/blog/logging-to-a-remote-host-with-syslog-ng/ and several blog pots, howtos, etc with https://www.google.com/search?q=remote+logging+with+syslog-ng – cas Aug 15 '17 at 10:05
  • Also, a program called cronolog is mostly used with web logs (i used to use it with apache years ago), but there's nothing I can see in it that is specific to apache or other web logs. It seems like a generically-useful tool, and may be of interest to you. – cas Aug 15 '17 at 10:10
  • Hi, check if setting the keep-timestamp(no) as a global option helps. By default, syslog-ng uses the timestamp from the incoming logs, and it is possible that they are inaccurate, causing syslog-ng to write multiple files, which messes up your overwrite-if-older settings. Also, try a newer version, 3.1.1 is ancient. – Robert Fekete Aug 16 '17 at 07:25

0 Answers0