I guess the file is truncated, there should be a new option to treat this, but it is experimental.
Sent from phone, thus brief. Am 22.04.2016 13:18 schrieb "David Lang" <[email protected]>: > On Fri, 22 Apr 2016, Muhammad Asif wrote: > > Hi geeks, >> >> We are facing a problem with modsec_audit.log. Let me discuss a scenario. >> On start of a day modsecurity create a file with name modsec_audit.log. >> Throughout the day it contain 1000 logs which is sent by rsyslog to remote >> server. >> The next day modsecurity rename the previous file as modsec_audit.log.1 >> and >> create a new file modsec_audit.log. Now problem starts. Since fIlename is >> same so rsyslog pointer is stand at 1001 line. But first 1000 logs of next >> day do not process. >> >> How we can handle this issue. >> > > This is a normal situation and rsyslog should handle it just fine. > > Rsyslog detects that the inode of the filehas changed and starts from the > beginning of the new file. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
