If the old log is being moved and re-created, then things should work without
something like this.
If the log is being copied and then truncated, then things are messier.
Among other things, you have a race condition that data can be written to the
log between the time the copy finishes and the time the truncation happens. This
data will be lost.
Also, any data that rsyslog had not read from the file before the rotation will
never be read.
If the file is moved and a new one created, rsyslog will finish reading the old
file and then detect that the file has been recreated and open the new one and
start reading it.
according to
http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
as of v8.16 there is a parameter reopenOnTruncate that you can use to try and
detect a truncated file. note that if the file is small before truncation, and
enough stuff gets written to it before rsyslog reads the file again, rsyslog
could miss the fact that the file was truncated and miss data and/or spit out a
partial log.
David Lang
On Fri, 22 Apr 2016, Ashish Barmase wrote:
Date: Fri, 22 Apr 2016 17:08:18 +0000
From: Ashish Barmase <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] rsyslog issue with new modsec_audit.log
Hi Asif, not sure your's and mine problem is same, but look like I had similar
issue. I used to monitor catalina.out file of tomcat, but after log rotation
runs of each day, the more logs stopped forwarding.
What I did was use a postroate action to delete the rsyslog stat file and
restart the rsyslog, which did the trick.
Thanks,
Ashish
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Muhammad Asif
Sent: Friday, April 22, 2016 3:28 AM
To: rsyslog-users <[email protected]>
Subject: [rsyslog] rsyslog issue with new modsec_audit.log
Hi geeks,
We are facing a problem with modsec_audit.log. Let me discuss a scenario.
On start of a day modsecurity create a file with name modsec_audit.log.
Throughout the day it contain 1000 logs which is sent by rsyslog to remote
server.
The next day modsecurity rename the previous file as modsec_audit.log.1 and
create a new file modsec_audit.log. Now problem starts. Since fIlename is same
so rsyslog pointer is stand at 1001 line. But first 1000 logs of next day do
not process.
How we can handle this issue.
REgards
M.Asif
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
