<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Syslog-NG Configuration: Log Rotation Best Practice in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760839#M120488</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/314750"&gt;@0xAli&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It really depends on the volume of traffic and the growth rate of the file. I certainly dont think you should expect to see degradation for going with Hourly which I'd probably choose personally - its not going to be millions of files to track and will keep the files smaller to rotate etc.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Would be interested to see what others think though too!&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
    <pubDate>Sun, 10 May 2026 13:59:57 GMT</pubDate>
    <dc:creator>livehybrid</dc:creator>
    <dc:date>2026-05-10T13:59:57Z</dc:date>
    <item>
      <title>Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760838#M120487</link>
      <description>&lt;P&gt;Hi Everyone,&lt;BR /&gt;&lt;BR /&gt;While using Syslog-NG to monitor network traffic and write it into file,&amp;nbsp; I want to ask about the Log file rotation policy:&lt;BR /&gt;&lt;BR /&gt;&lt;FONT color="#FF0000"&gt;what is the best practice Hourly Or Daily?&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#FF0000"&gt;Is that affecting the UF ingestion performance?&lt;/FONT&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;# High-volume Palo Alto → hourly&lt;BR /&gt;/var/log/firewalls/PaloAlto/$SOURCEIP/$YEAR-$MONTH-$DAY-$HOUR.log&lt;/P&gt;&lt;P&gt;# Lower-volume Fortigate → daily&lt;BR /&gt;/var/log/firewalls/Fortigate/$SOURCEIP/$YEAR-$MONTH-$DAY.log&lt;/P&gt;</description>
      <pubDate>Sun, 10 May 2026 07:47:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760838#M120487</guid>
      <dc:creator>0xAli</dc:creator>
      <dc:date>2026-05-10T07:47:24Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760839#M120488</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/314750"&gt;@0xAli&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It really depends on the volume of traffic and the growth rate of the file. I certainly dont think you should expect to see degradation for going with Hourly which I'd probably choose personally - its not going to be millions of files to track and will keep the files smaller to rotate etc.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Would be interested to see what others think though too!&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Sun, 10 May 2026 13:59:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760839#M120488</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2026-05-10T13:59:57Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760851#M120489</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/314750"&gt;@0xAli&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;as also&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp;pointed on, it depends on the syslog data volume and on the available storage on your receiver.&lt;/P&gt;&lt;P&gt;I usually configure hourly rotation and, when I have available storage, I zip logs after 24 hours (removing zipped files) and I maintain zipped files for three days.&lt;/P&gt;&lt;P&gt;If I don't have sufficient storage for this policy I adapt my polity to the available storage.&lt;/P&gt;&lt;P&gt;In addition, I prefer to use rsyslog instead syslog-ng because it's more modern, but it's a choice!&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 08:14:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760851#M120489</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2026-05-11T08:14:01Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760853#M120490</link>
      <description>&lt;P&gt;Thanks for your support!&lt;BR /&gt;&lt;BR /&gt;If possible, could you please share a sample from your rsyslog config as am used to go with the syslog-ng as it's simple configuration.&lt;BR /&gt;&lt;BR /&gt;another question, is the file size affect the performance of the tail reader, and batch reader?&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 08:56:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760853#M120490</guid>
      <dc:creator>0xAli</dc:creator>
      <dc:date>2026-05-11T08:56:50Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760854#M120491</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/314750"&gt;@0xAli&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;I usually use something like this:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;input(type="im&amp;lt;protocol&amp;gt;" port="&amp;lt;port&amp;gt;" ruleset="&amp;lt;input_name&amp;gt;")

template(name="&amp;lt;template_name&amp;gt;" type="string"  string="/data/syslog/&amp;lt;technology&amp;gt;/%fromhost-ip%/%$YEAR%/%$MONTH%/%$DAY%/&amp;lt;technology&amp;gt;_%$HOUR%.log")

ruleset(name="&amp;lt;input_name&amp;gt;"){
        action(type="omfile" dynaFile="&amp;lt;template_name&amp;gt;" fileOwner="&amp;lt;splunk_user&amp;gt;" fileGroup="&amp;lt;splunk_group&amp;gt;" dirOwner="&amp;lt;splunk_user&amp;gt;" dirGroup="&amp;lt;splunk_group&amp;gt;")
}&lt;/LI-CODE&gt;&lt;P&gt;in a dedicated .conf file.&lt;/P&gt;&lt;P&gt;ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 09:06:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760854#M120491</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2026-05-11T09:06:22Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760855#M120492</link>
      <description>&lt;P&gt;I have configured log rotation on my heavy forwarders in a way that matches the ingestion rate of each source. This setup helps balance performance with storage management.&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;High ingesting sources → rotated every 1 hour&lt;/LI&gt;&lt;LI&gt;Low ingesting sources → rotated at 4 hours, 8 hours, 1 day, or longer depending on the data volume&lt;/LI&gt;&lt;LI&gt;Daily compression → after 24 hours, files are zipped&lt;/LI&gt;&lt;LI&gt;Retention policy → zipped files are kept for 1 week&lt;/LI&gt;&lt;LI&gt;Automatic cleanup → after 1 week, files are deleted to prevent storage fill‑up on the heavy forwarder&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Mon, 11 May 2026 09:22:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760855#M120492</guid>
      <dc:creator>splunker_ak</dc:creator>
      <dc:date>2026-05-11T09:22:24Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog-NG Configuration: Log Rotation Best Practice</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760877#M120493</link>
      <description>&lt;P&gt;Generally the size of a file should not affect software which just writes at the end of the file or reads there. Of course the bigger a file is, the more time you need to read it whole but that's obvious. If you wanted to cache a whole file in memory (why would you do that?) then the size would matter. Maybe if you used some ancient filesystem the size would matter. With a modern OS the file size doesn't really affect reading/writing performance.&lt;/P&gt;&lt;P&gt;BTW, with modern syslog daemons you can write directly to HEC input and skip local files altogether (which takes the PITA of maintaining the log rotation scripts, monitoring free space and so on).&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 22:23:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-NG-Configuration-Log-Rotation-Best-Practice/m-p/760877#M120493</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2026-05-11T22:23:48Z</dc:date>
    </item>
  </channel>
</rss>

