On Fri, 29 Jan 2016, martin f krafft wrote:
It strikes me though that you imply that these timestamps are
"timereported" (i.e. the time of the log entry, according to the
system on which the event took place), whereas I was under the
impression that the filenames would be based on "timegenerated"
(i.e. the time they are generated on the rsyslog server).
Well, if you just use '$timestamp', that's timereported, so unless you say
otherwise, that's what I have to assume that you are meaning
While I can see the problem arising in the former case when clocks
aren't synchronised, I was/am intending to use "system properties"¹,
which are defined by the system running the generating rsyslog core.
And in this case, once midnight comes, rsyslog won't ever need to
write to yesterday's file ever again.
unless someone runs ntpdate or similar :-)
but the point was that the rsyslog dynamic file naming doesn't know the
difference between you using $$hour to generate the filename (which should not
go backwards) and $hostname, with which old values will show up again a lot.
¹)
http://www.rsyslog.com/doc/v8-stable/configuration/properties.html#system-properties
So,
template(name="fn_syslog" type="string"
string="/var/log/%$now%-syslog")
*.*;auth,authpriv.none -?fn_syslog
should work fine, although it's a lot of boilerplate in the config
file to do this for every log file.
And then I'll augment this with a cronjob that runs shortly after
midnight and maintains the symlink, e.g.
/var/log/syslog → 2016-01-29-syslog
It's somewhat of a hack, but it beats using logrotate, IMHO.
yep, that should work.
Anyway, if anyone has any suggestions, e.g. how to reduce
boilerplate (parametrisable templates would be great!), please don't
hesitate! ;)
I wouldn't use this format
template(name="fn_syslog" type="string"
string="/var/log/%$now%-syslog")
I'd just use the old format
$template fn_syslog,"/var/log/%$now%-syslog"
much cleaner as far as I'm concerned :-)
I always want to have my logs compressed, and I can do better with an external
compression program than with the built-in compression (and I am currently
having problems when combinding compression with dynamic files), and I've
trained myself over the years to look in /var/log/oldlogs rather than just
/var/log for things :-)
so what I do is I have a script like:
cat /usr/local/bin/newlogs
#!/bin/sh
#
# First move all the files from their current names to name.timestamp
# all files are named *-messages or messages-*
# Then HUP rsyslog, optionally turning debugging on around the restart
# wait 5 seconds to give rsyslog time to process the HUP
# go through the rotated files 6 at a time, compressing them
# smallest ones first (less likely to run out of space)
# xz -9e can give 100:1 compression of large log files, but is slow
# then move the files into the oldlogs directory for achive
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
umask 022
year=`date +%Y`
month=`date +%m`
day=`date +%d`
fdate=`date +%Y%m%d.%H%M`
logroot=/var/log
cd $logroot
# note: without the -- a file named -messages will be interpreted as flags to ls
ls -- *-messages messages-*[A-Za-z] messages|grep -v ".xz$" | while read file;
do
# this mv is in the same directory so that it is a rename on the same
# filesystem, which makes this almost instant
mv -- "$file" "$file.$fdate"
done
date >> /var/log/logrotate.log
#turn debugging logs on
#pkill -USR1 rsyslogd
pkill -HUP rsyslogd
sleep 5
#turn debugging logs off
#pkill -USR1 rsyslogd
while ls -- *.$fdate
do
for file in `du -k -- *.$fdate |sort -n |cut -f 2 |head --lines=6`
do
nice xz -9 -e -- "$file" &
done
wait
done
logroll=$logroot/oldlogs
mkdir -p $logroll/$year/$month/$day >/dev/null 2>/dev/null
mv -- `ls *.$fdate.xz` $logroll/$year/$month/$day
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
