Related to both questions -- the 'imfile' module has a 'StateFile' property which defines where Rsyslog will keep track of where it is in the source file so that it can resume *near* where it left off after restart. It can be set to update this state information at a regular interval (# of log lines) if you also set 'PersistStateInterval'. So frequently updating the state file will mean you'll start back up again quite close to where you left off, but also costs you more in processing overhead.
I'm not sure of the format of the state file, but this implies that you could create a new (or modify an existing) one when Rsyslog is not running in order to instruct Rsyslog to begin reading near the end of the file. I believe the default is to not track state at all (?). Also, if you do enable state tracking, state is updated only upon file close (when Rsyslog shuts down). So if Rsyslog crashes, you won't get any state written out. Alternatively, if you do enable periodic state writes, keep in mind that if and you stop and restart Rsyslog, you may re-read some number of logs unless you set the PersistStateInterval to '1' (which you almost certainly should not do). But the number you re-read will be low compared to starting the entire file over again from scratch. See: http://www.rsyslog.com/doc/imfile.html -- Dave Caplinger, Director of Architecture | Ph: (402) 361-3063 | Solutionary — An NTT Group Security Company On Jun 27, 2014, at 10:50 AM, Masuda, Bond <[email protected]> wrote: > sorry, don't have an answer to your question, but the subject interests me > and i have an add-on question: > > if rsyslog is shutdown cleanly or receives HUP signal and re-opens files, > does the imfile module know to restart reading the file from where it left > off? Or does it just start from the beginning of the file all over again? > > Bond > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Doug McClure > Sent: Friday, June 27, 2014 7:46 AM > To: rsyslog-users > Subject: [rsyslog] rsyslog file input - monitoring files from end > > Is it possible to have the input file monitor read from the end of the file > versus starting from the beginning? Trying to avoid a massive processing > backlog of historical data! > > Tks, > > Doug > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
